Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1snfHK-005CdG-GJ
	for pgsql-general@arkaria.postgresql.org; Mon, 09 Sep 2024 14:22:07 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1snfHJ-00CxmG-42
	for pgsql-general@arkaria.postgresql.org; Mon, 09 Sep 2024 14:22:05 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1snfHI-00Cxm8-PR
	for pgsql-general@lists.postgresql.org; Mon, 09 Sep 2024 14:22:04 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1snfHB-000JV4-4e
	for pgsql-general@lists.postgresql.org; Mon, 09 Sep 2024 14:22:04 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 489ELevM3143129;
	Mon, 9 Sep 2024 10:21:40 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Achilleas Mantzios - cloud <a.mantzios@cloud.gatewaynet.com>
cc: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: Strange permission effect depending on DEFERRABILITY
In-reply-to: <89e33a53-909c-6a02-bfc6-2578ba974e16@cloud.gatewaynet.com>
References: <89e33a53-909c-6a02-bfc6-2578ba974e16@cloud.gatewaynet.com>
Comments: In-reply-to Achilleas Mantzios - cloud <a.mantzios@cloud.gatewaynet.com>
	message dated "Mon, 09 Sep 2024 16:14:02 +0300"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3143127.1725891700.1@sss.pgh.pa.us>
Date: Mon, 09 Sep 2024 10:21:40 -0400
Message-ID: <3143128.1725891700@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/3143128.1725891700%40sss.pgh.pa.us>
Precedence: bulk

Achilleas Mantzios - cloud <a.mantzios@cloud.gatewaynet.com> writes:
> As you noticed the last trigger is a CONSTRAINT DEFERRABLE trigger. This 
> function mariner_update_availability_date is supposed to be run by a 
> user : cbt_results_import strippedof any privileges to the rest of the 
> system. Here is what we get : when we SET the constraint of the last 
> trigger to IMMEDIATE, the function runs on behalf of its owner 
> (postgres) who has all needed privileges (as superuser) to run the 
> update on mariner table and also run the triggers . However, when we run 
> with this CONSTRAINT as DEFERRED then it seems to NOT run the last 
> deferrable trigger as postgres.

AFAIR the trigger mechanisms do not change the execution environment.
If they did, then for example a trigger that stuffs CURRENT_USER into
a last_updated_by column would not give the desired results.

I'd suggest marking the problem trigger function as SECURITY DEFINER
if you want it to run as its owner.

			regards, tom lane