Re: Should we get rid of custom_variable_classes altogether?

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Magnus Hagander <magnus@hagander.net>, pgsql-hackers@postgresql.org
Date: 2011-10-03T14:41:48Z
Lists: pgsql-hackers
Andrew Dunstan <andrew@dunslane.net> writes:
> On 10/03/2011 10:17 AM, Tom Lane wrote:
>> Right.  Getting rid of custom_variable_classes should actually make
>> those use-cases easier, since it will eliminate a required setup step.

> So are we going to sanction using this as a poor man's session variable 
> mechanism?

People already are doing that, sanctioned or not.

> If so maybe we should at least warn that anything set will be accessible 
> by all roles, so security definer functions for example should be wary 
> of trusting such values.

Since it's not documented anywhere, I'm not sure where we'd put such
a warning.  I think anyone bright enough to think of such a hack should
be able to see the potential downsides, anyway.

			regards, tom lane