On Fri, Jan 13, 2023 at 4:46 PM Andres Freund <and...@anarazel.de> wrote:
> > I don't really see what that has to do with the topic at hand, unless you > want > to suggest removing the entire section about how to write secure security > definer functions? > Not remove, but I'm not seeing why the introduction of this GUC requires any change to the documentation. I'll leave discussion of security invoker to the other thread going on right now. > The point of the security definer section is to explain how to safely write > security definer functions that you grant to less privileged users > Yeah, we are really good at "how". + If the security definer function intends to create roles, and if it + is running as a non-superuser, <varname>createrole_self_grant</varname> + should also be set to a known value using the <literal>SET</literal> + clause. I'd like to know "why". Without knowing why we are adding this I can't give it a +1. I want the patch to include the why. David J.
