Noah Misch <n...@leadboat.com> writes: >> CREATE FUNCTION + ALTER FUNCTION OWNER TO is useful for creating another >> user's untrusted-language SECURITY DEFINER function. ALTER FUNCTION CALLED >> ON >> NULL INPUT ought to require that the user be eligible to redefine the >> function >> completely.
> Here's a patch implementing that restriction. To clarify, I see no need to > repeat *all* the CREATE-time checks; for example, there's no need to recheck > permission to use the return type. The language usage check is enough. This seems bizarre and largely unnecessary. As you stated to begin with, granting ownership of a function implies some degree of trust. I do not want to get into the business of parsing exactly which variants of ALTER FUNCTION ought to be considered safe. And I definitely don't want to add a check that enforces restrictions against cases that have got nothing whatever to do with C-language functions, as this patch does. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers