current_user inside SECURITY DEFINER function?

Started by Richard Haywardalmost 21 years ago7 messagesgeneral

Richard Hayward

richard@tortoise.demon.co.uk

almost 21 years ago

Is there any way to get the name of the current user inside a PL/pgSQL
function that is defined with security definer?

current_user gives the name of the user who created the function.

The reason I want this is that I intend to use functions to maintain
security, like this:

userA has only select permission on myTable.

The only way userA can insert to myTable is by providing parameters
for and executing myFunction.

myFunction was created by user postgres who does have insert
permission on myTable. However the code inside myFunction needs to do
different things, depending on who called it.

Is there any way of getting the user?

regards
Richard

sszabo@megazone23.bigpanda.com

almost 21 years ago

In reply to: Richard Hayward (#1)

Re: current_user inside SECURITY DEFINER function?

On Tue, 5 Jul 2005, Richard Hayward wrote:

Is there any way to get the name of the current user inside a PL/pgSQL
function that is defined with security definer?

IIRC, SESSION_USER should give the original user.

awitney@sgul.ac.uk

almost 21 years ago

In reply to: Richard Hayward (#1)

Re: current_user inside SECURITY DEFINER function?

I think you want to use session_user instead

Adam

Is there any way to get the name of the current user inside a PL/pgSQL
function that is defined with security definer?

current_user gives the name of the user who created the function.

The reason I want this is that I intend to use functions to maintain
security, like this:

userA has only select permission on myTable.

The only way userA can insert to myTable is by providing parameters
for and executing myFunction.

myFunction was created by user postgres who does have insert
permission on myTable. However the code inside myFunction needs to do
different things, depending on who called it.

Is there any way of getting the user?

regards
Richard

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

sfrost@snowman.net

almost 21 years ago

In reply to: Richard Hayward (#1)

Re: current_user inside SECURITY DEFINER function?

* Richard Hayward (richard@tortoise.demon.co.uk) wrote:

Is there any way of getting the user?

You might try session_user. 8.1 will hopefully clean this up some.

Thanks,

Stephen

Peter Eisentraut

peter_e@gmx.net

almost 21 years ago

In reply to: Stephen Frost (#4)

Re: current_user inside SECURITY DEFINER function?

Stephen Frost wrote:

* Richard Hayward (richard@tortoise.demon.co.uk) wrote:

Is there any way of getting the user?

You might try session_user. 8.1 will hopefully clean this up some.

Why would it? This is SQL standard behavior that should not be changed.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Richard Hayward

richard@tortoise.demon.co.uk

almost 21 years ago

In reply to: Richard Hayward (#1)

Re: current_user inside SECURITY DEFINER function?

On Wed, 6 Jul 2005 06:33:58 -0700 (PDT), sszabo@megazone.bigpanda.com
(Stephan Szabo) wrote:

SESSION_USER should give the original user.

Thanks all, that does what I want.

regards
Richard

sfrost@snowman.net

almost 21 years ago

In reply to: Peter Eisentraut (#5)

Re: current_user inside SECURITY DEFINER function?

* Peter Eisentraut (peter_e@gmx.net) wrote:

Stephen Frost wrote:

* Richard Hayward (richard@tortoise.demon.co.uk) wrote:

Is there any way of getting the user?

You might try session_user. 8.1 will hopefully clean this up some.

Why would it? This is SQL standard behavior that should not be changed.

It'll match the SQL spec, I'm not sure it does now, that was more of my
point than anything else. :)

Stephen