Thread
-
Re: Question: CREATE EXTENSION and create schema permission?
Kohei KaiGai <kaigai@kaigai.gr.jp> — 2011-08-22T09:14:45Z
The attached patch adds permission check at the scenario that I explained bellow. Unlike CreateSchemaCommand(), we don't have check_is_member_of_role() here because the extowner is obviously same with the current user in this code path. I hope this patch being also back ported to v9.1 tree, not only v9.2 development. Thanks, 2011/8/21 Dimitri Fontaine <dimitri@2ndquadrant.fr>: > Kohei KaiGai <kaigai@kaigai.gr.jp> writes: >> The current implementation set the current user as owner of the new schema. >> The default permission check of schema allows owner to create several kinds >> of underlying objects. >> >> In the result, we may consider a scenario that a user without permissions to >> create new objects possibly get a schema created by CREATE EXTENSION >> that allows him to create new objects (such as table, function, ...). >> >> I don't think it is a desirable behavior. :-( > > Agreed, > -- > Dimitri Fontaine > http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support > -- KaiGai Kohei <kaigai@kaigai.gr.jp>