"$user" and SESSION_USER and CURRENT_USER
hi,
sorry for my message. I'm tiny confused about the next one. could you
help me?:
here -- https://www.postgresql.org/docs/11/runtime-config-client.html
there is the text """If one of the list items is the special name $user,
then the schema having the name returned by SESSION_USER is substituted,
if there is such a schema and the user has USAGE permission for it. (If
not, $user is ignored.)""".
but actualy "$user" substitutes CURRENT_USER-value (not
SESSION_USER-value).
it's good because it would be a SECURITY VULNERABILITY if "$user"
substituted SESSION_USER-value (in conjunction with security definer
functions).
in case of CURRENT_USER-value we have no the vulnerable. which is good
:-)
but is there error in documentation text (runtime-config-client.html) ,
isn't?
thank you in advance.
antonov@stdpr.ru writes:
here -- https://www.postgresql.org/docs/11/runtime-config-client.html
there is the text """If one of the list items is the special name $user,
then the schema having the name returned by SESSION_USER is substituted,
if there is such a schema and the user has USAGE permission for it. (If
not, $user is ignored.)""".
but actualy "$user" substitutes CURRENT_USER-value (not
SESSION_USER-value).
Huh. Digging in the commit history, SESSION_USER was the original
implementation (commit 838fe25a9 of 2002-04-01) but it was changed later
that month (ccfaf9067 of 2002-04-29) when we added schema permissions
checks. Evidently I forgot to update the docs to match :-(
Will fix, thanks for noticing!
regards, tom lane