Re: DEFINER / INVOKER conundrum
Wolfgang Walther <walther@technowledgy.de>
From: walther@technowledgy.de
To: Erik Wienhold <ewie@ewie.name>, Dominique Devienne <ddevienne@gmail.com>,
pgsql-general@lists.postgresql.org
Date: 2023-04-04T05:55:25Z
Lists: pgsql-general
Erik Wienhold: > A single DEFINER function works if you capture current_user with a parameter > and default value. Let's call it claimed_role. Use pg_has_role[0] to check > that session_user has the privilege for claimed_role (in case the function is > called with an explicit value), otherwise raise an exception. > > Connect as postgres: > > CREATE FUNCTION f(claimed_role text default current_user) > RETURNS TABLE (claimed_role text, curr_user text, sess_user text) > SECURITY DEFINER > LANGUAGE sql > $$ SELECT claimed_role, current_user, session_user $$; For me, checking whether session_user has the privilege for claimed_role is not enough, so I add a DOMAIN to the mix: CREATE DOMAIN current_user_only AS NAME CHECK (VALUE = CURRENT_USER); CREATE FUNCTION f(calling_user current_user_only DEFAULT CURRENT_USER) ... SECURITY DEFINER; This works, because the domain check is evaluated in the calling context. Best, Wolfgang