Re: Should we get rid of custom_variable_classes altogether?
| От | Tom Lane |
|---|---|
| Тема | Re: Should we get rid of custom_variable_classes altogether? |
| Дата | |
| Msg-id | 15021.1317652908@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Should we get rid of custom_variable_classes altogether? (Andrew Dunstan <andrew@dunslane.net>) |
| Ответы |
Re: Should we get rid of custom_variable_classes
altogether?
|
| Список | pgsql-hackers |
Andrew Dunstan <andrew@dunslane.net> writes:
> On 10/03/2011 10:17 AM, Tom Lane wrote:
>> Right. Getting rid of custom_variable_classes should actually make
>> those use-cases easier, since it will eliminate a required setup step.
> So are we going to sanction using this as a poor man's session variable
> mechanism?
People already are doing that, sanctioned or not.
> If so maybe we should at least warn that anything set will be accessible
> by all roles, so security definer functions for example should be wary
> of trusting such values.
Since it's not documented anywhere, I'm not sure where we'd put such
a warning. I think anyone bright enough to think of such a hack should
be able to see the potential downsides, anyway.
regards, tom lane
В списке pgsql-hackers по дате отправления: