On Wed, Jul 22, 2015 at 5:17 PM, Dean Rasheed <dean.a.rash...@gmail.com> wrote: > There's another issue here though -- just adding filters to the > pg_stats view won't prevent a determined user from seeing the contents > of the underlying table. For that, the view needs to have the > security_barrier property. Arguably the fact that pg_stats isn't a > security barrier view is a long-standing information leak allowing > users to see values from tables for which they don't have any > permissions. Is anyone concerned about that?
Hrm. There's no help for that in the back-branches, but we should probably change it in 9.5+. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
