On Fri, Jul 5, 2013 at 9:45 AM, Noah Misch <n...@leadboat.com> wrote: > REFRESH MATERIALIZED VIEW should temporarily switch the current user ID to the > MV owner. REINDEX and VACUUM do so to let privileged users safely maintain > objects owned by others, and REFRESH MATERIALIZED VIEW belongs in that class > of commands.
I was trying to understand why this is safe for a while. REINDEX and VACUUM make sense to me because they never contain side-effect as far as I know, but MV can contain some volatile functions which could have some unintended operation that shouldn't be invoked by no one but the owner. For example, if the function creates a permanent table per call and doesn't clean it up, but later some other maintenance operation is supposed to clean it up, and the owner schedules REFRESH and maintenance once a day. A non-owner user now can refresh it so many times until the disk gets full. Or is that operation supposed to be restricted by the security context you are adding? -- Hitoshi Harada -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
