( I know this is slightly OT, but since I am not a highly active SQL developer, please
bear with me.)
Watching this list, I have noticed several people mutter about the fact that any
user with access to a database can create a table in it. I do not know if this would
work, but I would like to propose a possible workaround. Use this information at your
own risk; I do not know if this would work, cause more damage than good, etc.
While I am no means an SQL wizard, one of the things I know postgres supports is
the ability to create rules. At least under 7.0.2, it seems that rules can be applied
to a system table, such as pg_tables. Now, I don't know if SQL rules can do things a
user normally could not do. But given that I could create a rule on a pg_tables, one
wonders if such a rule could be used to keep users from making tables.
The rule would go something like this (more pseudo-code than SQL code):
ON INSERT pg_tables WHERE (current_user not a superuser) AND (current_user not in
allowed_tablecreator_list) DO DROP (last_table added to pg_tables);
This might not exactly work, as pg_tables might not be the last thing to know about
a table being added. This also might not work if the rule is executed before
pg_tables gets modified, or if rules can not modify system tables (I only tried a "DO
NOTHING"). If a rule is the first thing that learns about a table operation, DO
INSTEAD NOTHING might work, even in the case where a user can not modify the system
tables.
Historically, I have not used rules with any of my SQL databases, so I do not know
if this would work. But any insight as to what can/can not be done in this area
would be useful.
Sincerely,
Samuel Greenfeld
