Re: Should we get rid of custom_variable_classes altogether?
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Magnus Hagander <magnus@hagander.net>, pgsql-hackers@postgresql.org
Date: 2011-10-03T14:41:48Z
Lists: pgsql-hackers
Andrew Dunstan <andrew@dunslane.net> writes: > On 10/03/2011 10:17 AM, Tom Lane wrote: >> Right. Getting rid of custom_variable_classes should actually make >> those use-cases easier, since it will eliminate a required setup step. > So are we going to sanction using this as a poor man's session variable > mechanism? People already are doing that, sanctioned or not. > If so maybe we should at least warn that anything set will be accessible > by all roles, so security definer functions for example should be wary > of trusting such values. Since it's not documented anywhere, I'm not sure where we'd put such a warning. I think anyone bright enough to think of such a hack should be able to see the potential downsides, anyway. regards, tom lane