public inbox for [email protected]
help / color / mirror / Atom feedFrom: Laurenz Albe <[email protected]>
To: Dominique Devienne <[email protected]>
To: Tom Lane <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: [email protected]
Subject: Re: Yet more ROLE changes in v18 beta1???
Date: Wed, 04 Jun 2025 19:52:01 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAFCRh--PmwmqC4cUmGCPTVwzJnxoP3v=WbvyH=4z5ZpSqDRBDA@mail.gmail.com>
References: <CAFCRh-_gUzbsUcr0LAazQZKYn4Mp-HrbgJXiybokM-GVTSZ=pg@mail.gmail.com>
<CA+TgmoYEVWid5Mor2img6sQOD7NK+gv71MGBxig7-RqGp1+B4Q@mail.gmail.com>
<CAFCRh-_bT_05c2=WySpKmzvf0KA_rLtdc1LOcjTZDZFmSUsW9Q@mail.gmail.com>
<[email protected]>
<CAFCRh--PmwmqC4cUmGCPTVwzJnxoP3v=WbvyH=4z5ZpSqDRBDA@mail.gmail.com>
On Wed, 2025-06-04 at 18:42 +0200, Dominique Devienne wrote:
> On Wed, Jun 4, 2025 at 5:34 PM Tom Lane <[email protected]> wrote:
> > Dominique Devienne <[email protected]> writes:
> > > In any case, if anyone else knows about changes in this area, I'm interested.
> >
> > Digging through the commit log didn't find much, but conceivably
> >
> > https://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=01463e1cc
> > Ensure that AFTER triggers run as the instigating user.
>
> Thanks Tom. We don't drop ROLEs in trigger (yet, we'll get there).
> So that particular commit is probably not the reason.
> Thanks a bunch for looking into it. --DD
That change is not about dropping roles, but:
- before, if you had a deferred constraint trigger that was triggered while
you temporarily assumed a different role (e.g., the DML statement is executed
in a SECURITY DEFINER function), the trigger was executed as the current user
at commit time
- from v18 on, the trigger gets executed as the user that ran the DML statement
I would be somewhat surprised if you hit this rather exotic case that went
unnoticed for many years, but it is possible.
Do you have deferred constraint triggers?
Yours,
Laurenz Albe
view thread (11+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Yet more ROLE changes in v18 beta1???
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox