Heikki Linnakangas <hlinn...@iki.fi> writes:
> Sounds complicated. I would go with the GRANT approach. Make my_func() a
> SECURITY DEFINER function, and revoke access to my_func_extended() for
> all other roles.
+1
> Another option to consider is to not expose my_func_extended() at the
> SQL level in the first place, and rewrite my_func() in C. Dunno how
> complicated the logic in my_func() is, if that makes sense.
Another way to think about that is "push down into C the part of
my_func() that you feel is necessary to make my_func_extended()
safely callable". Personally I'd probably change my_func_extended()
itself to do that, but if you feel a need to leave it alone, you
could write a C wrapper function. Anyway my point is you might
not have to move *all* of my_func()'s functionality into C. Think
about what it is exactly that makes you feel it's unsafe to call
my_func_extended() directly.
regards, tom lane
