[postgis-devel] estimated_extent & pg_statistic
Mark Cave-Ayland
m.cave-ayland at webbased.co.uk
Wed Mar 8 09:39:09 PST 2006
> -----Original Message-----
> From: postgis-devel-bounces at postgis.refractions.net [mailto:postgis-devel-
> bounces at postgis.refractions.net] On Behalf Of strk at refractions.net
> Sent: 06 March 2006 11:57
> To: 'PostGIS Development Discussion'
> Subject: Re: [postgis-devel] estimated_extent & pg_statistic
Hi strk,
(cut)
> I'd rather avoid adding another view.
Is there any particular reason why views cause a problem?
I've attached a patch for Martin's case that marks the estimated_extent()
function as SECURITY DEFINER and implements an access control check using
has_table_privilege. The new behaviour is that if a user u1 creates a
geometry column, user u1 can now call estimated_extent(), but a user u2 who
does not have SELECT permissions on the target table will not be able to
call estimated_extent() on user u1's table.
The main downside with this approach is that it appears PostgreSQL 7.2
doesn't support SECURITY DEFINER, and so non-superusers would not be able to
get around this issue (then again, if you are still running a 7.2 series
database in production you probably have a lot more pressing issues...)
I imagine that if we used a view in a similar manner to pg_stats then we
would be able to get this to work back in 7.2 as well, however since support
for 7.2 is now non-existent, I can't get too excited about it. Comments
anyone?
> What about using has_table_privilege() from withing a SECURITY DEFINER ?
> Also, can CREATE OR REPLACE FUNCTION override the SECURITY DEFINER
> specifier ?
Looks like you can here, as long you are the superuser.
Kind regards,
Mark.
------------------------
WebBased Ltd
17 Research Way
Plymouth
PL6 8BT
T: +44 (0)1752 797131
F: +44 (0)1752 791023
http://www.webbased.co.uk
http://www.infomapper.com
http://www.swtc.co.uk
This email and any attachments are confidential to the intended recipient
and may also be privileged. If you are not the intended recipient please
delete it from your system and notify the sender. You should not copy it or
use it for any purpose nor disclose or distribute its contents to any other
person.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: estimated_extent.diff
Type: application/octet-stream
Size: 3480 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/postgis-devel/attachments/20060308/dadc5aea/attachment.obj>
More information about the postgis-devel
mailing list