On Wed, Jun 24, 2009 at 9:52 AM, Tom Lane<[email protected]> wrote: > "Albe Laurenz" <[email protected]> writes: >> Robert Haas wrote: >>> I don't think this is true. You can use SET SESSION AUTHORIZATION, >>> right? > >> You are right, I overlooked that. >> It is restricted to superusers though. > > That sort of thing is only workable if you have trustworthy client code > that controls what queries the users can issue. If someone can send raw > SQL commands then he just needs to do RESET SESSION AUTHORIZATION to > become superuser.
Good point, although since the OP said it was a webapp, they probably have control over that. ...Robert -- Sent via pgsql-performance mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-performance
