Re: leaky views, yet again
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>, KaiGai Kohei <kaigai@ak.jp.nec.com>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>, pgsql-hackers@postgresql.org
Date: 2010-10-05T16:27:12Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes: > On Tue, Oct 5, 2010 at 10:56 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Personally I think this is a dead end that we shouldn't be wasting >> any more time on. > But you haven't proposed a reasonable alternative. Tom: "This problem is insoluble." Robert: "You can't claim that without offering a solution." Sorry ... > Option #1: Remove all mention from the documentation of using views > for security purposes. Don't allow views to have explicit permissions > attached to them; they are merely shorthand for a SELECT, for which > you either do or do not have privileges. The SQL standard requires us to attach permissions to views. The standard makes no claims whatsoever about how leak-proof views should be; it only says that you can't call a view without the appropriate permissions. I do think it's reasonable for the docs to point out that views that do row-filtering should not be presumed to be absolutely bulletproof. That doesn't make permissions on them useless, so you're attacking a straw man. regards, tom lane