473,508 Members | 2,303 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

DML Restriction unless through a function

val
Hi all;

Is it possible to write a trigger or the ilk that would disallow
direct inserts, updates, or deletes to a table unless it was
being executed through a function? How can I identify that the
DML being issued is being done via a function?

We are writing an API of sorts and for various business logic
aspects, it is necessary that certain checks and sets of data
are processed through the database in a certain method. The use
of functions provides the ability to do this, but I would
definitely like to restrict access to the under lying tables.

If I revoke insert,update,delete privileges on a table, would
the user still be able to affect data manipulation through a
function? Is that another way of getting around this?

TIA

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Nov 23 '05 #1
6 1460
va*@webtribe.net wrote:
Hi all;

Is it possible to write a trigger or the ilk that would disallow
direct inserts, updates, or deletes to a table unless it was
being executed through a function? How can I identify that the
DML being issued is being done via a function?


http://www.postgresql.org/docs/7.4/s...efunction.html

Look for security definer. Grant table access only to user who creates the
function and grant access to function to everybody concerned.

HTH

Shridhar

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to ma*******@postgresql.org)

Nov 23 '05 #2
On Wed, Jun 30, 2004 at 13:21:00 +0100,
va*@webtribe.net wrote:

If I revoke insert,update,delete privileges on a table, would
the user still be able to affect data manipulation through a
function? Is that another way of getting around this?


If you use a security definer function where the function creator
has access to the table, but others don't then you can do that.
There are some issues if you start using such functions in views,
but for simple usage it will do what you want.

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

Nov 23 '05 #3
On 30/6/04 2:52 pm, "Bruno Wolff III" <br***@wolff.to> wrote:
On Wed, Jun 30, 2004 at 13:21:00 +0100,
va*@webtribe.net wrote:

If I revoke insert,update,delete privileges on a table, would
the user still be able to affect data manipulation through a
function? Is that another way of getting around this?


If you use a security definer function where the function creator
has access to the table, but others don't then you can do that.
There are some issues if you start using such functions in views,
but for simple usage it will do what you want.


Out of interest, what are the issues?

Thanks

adam
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Nov 23 '05 #4
On Wed, Jun 30, 2004 at 15:02:33 +0100,
Adam Witney <aw*****@sghms.ac.uk> wrote:

Out of interest, what are the issues?


You should be able to find a more accurate description in the archives, but
my memory is that when you run a security definer function in a view
(this shouldn't apply if it is used as a default for a column in the view) it
runs with the authority of the view creator ran than the function creator.
In practice that probably isn't a problem, since normally they would be
the same person.

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Nov 23 '05 #5
On Wed, Jun 30, 2004 at 12:00:44 -0400,
Tom Lane <tg*@sss.pgh.pa.us> wrote:

That doesn't sound right to me at all. A SECURITY DEFINER function is
self contained --- if we ever failed to execute it as the owning user,
that would be a bug, and I'd be pleased to see an example.

I do recall that if you have a function that is *not* SECURITY DEFINER,
and you use it in a view, it will be invoked as the current user, not as
the view creator which is what some people expect. It's fairly easy to
get around this using SECURITY DEFINER, so it's unlikely that we'll
change it ...


That is what I was probably thinking of.

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Nov 23 '05 #6
Bruno Wolff III <br***@wolff.to> writes:
Out of interest, what are the issues?
You should be able to find a more accurate description in the archives, but
my memory is that when you run a security definer function in a view
(this shouldn't apply if it is used as a default for a column in the view) it
runs with the authority of the view creator ran than the function creator.


That doesn't sound right to me at all. A SECURITY DEFINER function is
self contained --- if we ever failed to execute it as the owning user,
that would be a bug, and I'd be pleased to see an example.

I do recall that if you have a function that is *not* SECURITY DEFINER,
and you use it in a view, it will be invoked as the current user, not as
the view creator which is what some people expect. It's fairly easy to
get around this using SECURITY DEFINER, so it's unlikely that we'll
change it ...

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 8: explain analyze is your friend

Nov 23 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
4527
xsd restriction
by: Ed Slen | last post by:
Hi, Guys! Have a question about xsd restriction: I am having an element "state" and it could be US state (Which is easy) or Canadian postal code which is easy too (both rules are working...
.NET Framework
0
1531
Simple Schema Element/Attribute/Restriction problem
by: Andy Howden | last post by:
I'm trying to define a schema element (allPeriodData) containing up to 50 different decimal child elements (periodData). Each child element (periodData) identifies itself with an ID having a value...
.NET Framework
1
505
xml schema and derivation by restriction
by: hre1 | last post by:
hello stan, thank you very much for your fast replay! your solution will help to solve my problem. but i try to understand !why! sqc and xmlspy produce this messages: SQC means:TYPE...
.NET Framework
3
1713
Why isn't fixed considered a restriction?
by: Brett Gerhardi | last post by:
Hi all, can anyone explain why the following isn't valid? <?xml version="1.0" encoding="UTF-8"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"...
.NET Framework
3
1249
restriction of a two-parameters function to a one-parameter function
by: Boris Sargos | last post by:
Hi, suppose we have these two functions (not very interesting, but this is for clarity) : -) a function Primitive that computes at t the primitive of a function f : double Primitive (...
C / C++
0
1557
restriction base invalid, error in VS.NET 2003 when loading schema
by: Deep Purple | last post by:
I started with the following error... ------------------------------------------------------- An error occured while loading the schema with TargetNamespace 'http://www.w3.org/2001/XMLSchema'...
.NET Framework
5
1647
Deriving complexTypes by restriction.
by: bclark76 | last post by:
I am getting a strange error, maybe someone knows why it is occurring.. I get the following error when I try to validate Untitled8.xml in Altova XMLSPY: Validation error in another file:...
.NET Framework
0
2470
PEAR gives open_basedir restriction on IIS server
by: erwinschrijver | last post by:
On a previous installed server my site which uses several PEAR-packages worked fine. Now it's transfered to a new server. (Both servers installed with Windows 2003 / IIS 6, on the previous server...
PHP
6
4260
XSD type derived via restriction in same namespace as restricted type?
by: burkley | last post by:
In XML Schema, is it possible to derive a complex type via restriction and have the new derived type be in a different namespace than the original base type? I've banged on this for 2 days now...
.NET Framework
0
7225
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7123
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
7382
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
7042
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
7495
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
4707
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
1556
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
1
766
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
418
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us