public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dominique Devienne <[email protected]>
To: [email protected]
Subject: current_role of caller of a DEFINER function
Date: Wed, 26 Jun 2024 10:35:49 +0200
Message-ID: <CAFCRh--0j77ueun+Ak0vRe_vi__Jks_HZjD9QbD+THR8gAWvRQ@mail.gmail.com> (raw)
Hi. I was led to believe (by an hallucination...) that I could know
the current_role of the caller of a DEFINER function, but after actual
experimentation, turns out it shows the OWNER of the function, and not
the current_role of the caller.
I foolishly thought curent_role != current_user inside the DEFINER
function, but reading back the doc, it's clear current_role =
current_user = user, thus that was wishful thinking. Only session_user
is representative of the caller, and reliable (modulo SUPERUSER and
SET AUTHORIZATION, but that's a different story and kinda normal)
So I have two questions:
1) Is there any way to know the current_role of the caller of a
DEFINER function. I fear the answer is no, but better be sure from
experts here.
2) Why isn't there a way to obtain the above? What harm would it be?
Obviously for #2, distinguishing current_role from current_user inside
DEFINER is a no-go, for backward compatibility. But could a new
variable be invented for that? What obvious technical reason I'm
missing would make that harmful or difficult?
As to the use-case, now that I have a queue mechanism for tasks to be
delegated to services, I need to make sure the poster of the task has
the right privileges, so I wanted to capture session_user and
current_role of the "poster", and the service would use that info,
reliably captured (inside the DEFINER function to post a task), using
ROLEs and GRANTs and other app-specific permission data.
LOGIN users have different persona in the system, so the current_role
matters, to determine whether the connection posting the task to be
processed asynchronously by a service is allowed or not. I'd think I'm
not the only one that would need something like this, no?
Thanks, --DD
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: current_role of caller of a DEFINER function
In-Reply-To: <CAFCRh--0j77ueun+Ak0vRe_vi__Jks_HZjD9QbD+THR8gAWvRQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox