Read only column ?
Is there a way to set a column to be read only?
I have a table with several columns with values that are determined by triggers. I want users to be able to view, but never edit them.
Thanks
"Gauthier, Dave" <dave.gauthier@intel.com> writes:
Is there a way to set a column to be read only?
As of 8.4 you could revoke insert/update permissions column-by-column ...
I have a table with several columns with values that are determined by triggers. I want users to be able to view, but never edit them.
... although, if you have triggers forcibly setting the columns, it
hardly matters what the users try to put into them, no?
regards, tom lane
.. although, if you have triggers forcibly setting the columns, it
hardly matters what the users try to put into them, no?
Ummmm..... Wellll.... I guess you have a point there :-)
Still, it would be nicer for the DB to tell them "DON'T TOUCH THAT" as opposed to a trigger silently overriding whatever they may have thought they changed.
-----Original Message-----
From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
Sent: Saturday, January 16, 2010 9:00 PM
To: Gauthier, Dave
Cc: pgsql-general@postgresql.org
Subject: Re: [GENERAL] Read only column ?
"Gauthier, Dave" <dave.gauthier@intel.com> writes:
Is there a way to set a column to be read only?
As of 8.4 you could revoke insert/update permissions column-by-column ...
I have a table with several columns with values that are determined by triggers. I want users to be able to view, but never edit them.
... although, if you have triggers forcibly setting the columns, it
hardly matters what the users try to put into them, no?
regards, tom lane
"Gauthier, Dave" <dave.gauthier@intel.com> writes:
.. although, if you have triggers forcibly setting the columns, it
hardly matters what the users try to put into them, no?
Ummmm..... Wellll.... I guess you have a point there :-)
Still, it would be nicer for the DB to tell them "DON'T TOUCH THAT" as opposed to a trigger silently overriding whatever they may have thought they changed.
Well, you could have the triggers throw errors instead of being silent
about it.
regards, tom lane
Tom Lane wrote:
Well, you could have the triggers throw errors instead of being silent
about it.
otoh, do you really want trigger code checking for permissions? ugh.
Triggers,throw errors? I didn't know they could do that. Other than via "raise notice", how is this done? Could I capture such an error programatically (e.g. in perl/DBI)?
-----Original Message-----
From: Tom Lane [mailto:tgl@sss.pgh.pa.us]
Sent: Saturday, January 16, 2010 9:12 PM
To: Gauthier, Dave
Cc: pgsql-general@postgresql.org
Subject: Re: [GENERAL] Read only column ?
"Gauthier, Dave" <dave.gauthier@intel.com> writes:
.. although, if you have triggers forcibly setting the columns, it
hardly matters what the users try to put into them, no?
Ummmm..... Wellll.... I guess you have a point there :-)
Still, it would be nicer for the DB to tell them "DON'T TOUCH THAT" as opposed to a trigger silently overriding whatever they may have thought they changed.
Well, you could have the triggers throw errors instead of being silent
about it.
regards, tom lane
otoh, do you really want trigger code checking for permissions? ugh.
Not really. I'd rather this be cought before it made it that far.
I'll have to read the 8.4 release notes !
-----Original Message-----
From: John R Pierce [mailto:pierce@hogranch.com]
Sent: Saturday, January 16, 2010 9:18 PM
To: Tom Lane
Cc: Gauthier, Dave; pgsql-general@postgresql.org
Subject: Re: [GENERAL] Read only column ?
Tom Lane wrote:
Well, you could have the triggers throw errors instead of being silent
about it.
otoh, do you really want trigger code checking for permissions? ugh.
"Gauthier, Dave" <dave.gauthier@intel.com> writes:
Triggers,throw errors? I didn't know they could do that. Other than via "raise notice", how is this done? Could I capture such an error programatically (e.g. in perl/DBI)?
RAISE can do more than just notices ...
regards, tom lane
On 17/01/2010 10:18 AM, John R Pierce wrote:
Tom Lane wrote:
Well, you could have the triggers throw errors instead of being silent
about it.otoh, do you really want trigger code checking for permissions? ugh.
Before column permissions, it was all you could do :-(
I'm LOVING col permissions, especially now that I've got Hibernate
playing properly with them. So much ugly, error-prone trigger code is
gone. Having to test IS DISTINCT FROM or IS NOT NULL and RAISE NOTICE
handling all the different cases of insert/update/delete wasn't pretty.
One thing, though: Tom said that you can just revoke col permissions
from the cols of interest. I suspect that how it was worded could be
confusing to a reader not familiar with how the permissions work. You can't:
GRANT SELECT, INSERT, UPDATE, DELETE ON sometable TO user;
REVOKE SELECT, INSERT, UPDATE (protectedcol) ON sometable FROM user;
since there's no column-level GRANT to REVOKE. Column-level REVOKE can't
convert a table-level GRANT to a selective column-level GRANT. Instead,
you must GRANT access to the list of columns the user *should* be
allowed to modify.
GRANT DELETE ON sometable TO user;
GRANT SELECT, INSERT, UPDATE (col1, col2, col3) ON sometable TO user;
The manual goes into this a bit.
--
Craig Ringer