Tom Lane wrote:

Alvaro Herrera <[EMAIL PROTECTED]> writes:
What we should really do is have lastval() fail if the user does not
have appropiate permissions on the schema.  Having it not fail is a bug,
and documenting a bug turns it not into a feature, but into a "gotcha".

I'm unconvinced that it's either a bug or a gotcha.  lastval doesn't
tell you which sequence it's giving you a value from, so I don't really
see the reasoning for claiming that there's a security hole.  Also,
*at the time you did the nextval* you did have permissions.  Does anyone
really think that a bad guy can't just remember the value he got?
lastval is merely a convenience.

Is that true even if it was called by a security definer function?

I too don't think that the security danger of knowing the value of a (possibly unknown) sequence is very high, but that's another argument.



---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to