Thread

Commits

  1. Doc: fix ancient mistake in search_path documentation.

  2. Create a new GUC variable search_path to control the namespace search

  1. "$user" and SESSION_USER and CURRENT_USER

    antonov@stdpr.ru — 2018-12-20T15:38:26Z

    hi,
    
    sorry for my message. I'm tiny confused about the next one. could you 
    help me?:
    
    here -- https://www.postgresql.org/docs/11/runtime-config-client.html
    
    there is the text """If one of the list items is the special name $user, 
    then the schema having the name returned by SESSION_USER is substituted, 
    if there is such a schema and the user has USAGE permission for it. (If 
    not, $user is ignored.)""".
    
    but actualy "$user" substitutes CURRENT_USER-value (not 
    SESSION_USER-value).
    
    it's good because it would be a SECURITY VULNERABILITY if "$user" 
    substituted SESSION_USER-value (in conjunction with security definer 
    functions).
    
    in case of CURRENT_USER-value we have no the vulnerable. which is good 
    :-)
    
    but is there error in documentation text (runtime-config-client.html) , 
    isn't?
    
    thank you in advance.
    
    
    
  2. Re: "$user" and SESSION_USER and CURRENT_USER

    Tom Lane <tgl@sss.pgh.pa.us> — 2018-12-20T18:42:32Z

    antonov@stdpr.ru writes:
    > here -- https://www.postgresql.org/docs/11/runtime-config-client.html
    
    > there is the text """If one of the list items is the special name $user, 
    > then the schema having the name returned by SESSION_USER is substituted, 
    > if there is such a schema and the user has USAGE permission for it. (If 
    > not, $user is ignored.)""".
    
    > but actualy "$user" substitutes CURRENT_USER-value (not 
    > SESSION_USER-value).
    
    Huh.  Digging in the commit history, SESSION_USER was the original
    implementation (commit 838fe25a9 of 2002-04-01) but it was changed later
    that month (ccfaf9067 of 2002-04-29) when we added schema permissions
    checks.  Evidently I forgot to update the docs to match :-(
    
    Will fix, thanks for noticing!
    
    			regards, tom lane