Re: pl/pgsql enabled by default

Josh Berkus <josh@agliodbs.com>

From: Josh Berkus <josh@agliodbs.com>
To: Mike Mascari <mascarm@mascari.com>
Cc: pgsql-hackers@postgresql.org
Date: 2005-05-08T18:03:36Z
Lists: pgsql-hackers
Mike,

> I think most people coming from any other enterprise-class RDBMS
> environment will be surprised that they cannot use VIEWs to provide
> user-specific views on data. I could be wrong, but I'd put money on it...

Well, I'd say that giving regular users the "create" permission on your 
database/schema is unwise, period.   I don't, even when the only user is 
"phpuser".  SQL injections attacks are no fun.

Also, as Andrew points out, this can't be used to circumvent view-based 
security if you've set it up correctly; if the user can't "select * from 
table", then he can't write a function to "select * from table."  

-- 
Josh Berkus
Aglio Database Solutions
San Francisco