Re: DEFINER / INVOKER conundrum

Wolfgang Walther <walther@technowledgy.de>

From: walther@technowledgy.de
To: Erik Wienhold <ewie@ewie.name>, Dominique Devienne <ddevienne@gmail.com>, pgsql-general@lists.postgresql.org
Date: 2023-04-04T05:55:25Z
Lists: pgsql-general
Erik Wienhold:
> A single DEFINER function works if you capture current_user with a parameter
> and default value.  Let's call it claimed_role.  Use pg_has_role[0] to check
> that session_user has the privilege for claimed_role (in case the function is
> called with an explicit value), otherwise raise an exception.
> 
> Connect as postgres:
> 
> 	CREATE FUNCTION f(claimed_role text default current_user)
> 	  RETURNS TABLE (claimed_role text, curr_user text, sess_user text)
> 	  SECURITY DEFINER
> 	  LANGUAGE sql
> 	  $$ SELECT claimed_role, current_user, session_user $$;

For me, checking whether session_user has the privilege for claimed_role 
is not enough, so I add a DOMAIN to the mix:

CREATE DOMAIN current_user_only AS NAME CHECK (VALUE = CURRENT_USER);

CREATE FUNCTION f(calling_user current_user_only DEFAULT CURRENT_USER)
...
SECURITY DEFINER;

This works, because the domain check is evaluated in the calling context.

Best,

Wolfgang