Thread

  1. Re: Question: CREATE EXTENSION and create schema permission?

    Kohei KaiGai <kaigai@kaigai.gr.jp> — 2011-08-22T09:14:45Z

    The attached patch adds permission check at the scenario that I
    explained bellow.
    
    Unlike CreateSchemaCommand(), we don't have check_is_member_of_role() here
    because the extowner is obviously same with the current user in this code path.
    
    I hope this patch being also back ported to v9.1 tree, not only v9.2
    development.
    
    Thanks,
    
    2011/8/21 Dimitri Fontaine <dimitri@2ndquadrant.fr>:
    > Kohei KaiGai <kaigai@kaigai.gr.jp> writes:
    >> The current implementation set the current user as owner of the new schema.
    >> The default permission check of schema allows owner to create several kinds
    >> of underlying objects.
    >>
    >> In the result, we may consider a scenario that a user without permissions to
    >> create new objects possibly get a schema created by CREATE EXTENSION
    >> that allows him to create new objects (such as table, function, ...).
    >>
    >> I don't think it is a desirable behavior. :-(
    >
    > Agreed,
    > --
    > Dimitri Fontaine
    > http://2ndQuadrant.fr     PostgreSQL : Expertise, Formation et Support
    >
    -- 
    KaiGai Kohei <kaigai@kaigai.gr.jp>