Re: lastval exposes information that currval does not

> I am well aware of what security definer means. The significant part of
> this example is that lastval() will allow the caller to see the value of
> a sequence where currval('seq') will not. This means that things which
> might have been forbidden in 8.0 are now accessible in 8.1.
>
> It also means that revoking usage on a schema is not sufficient to
> prevent a user from accessing things within that schema, a property that
> makes me quite uncomfortable.

Then the public schema must drive you nuts :). If you were to create the 
function as a non-super user you would probably be good.

Joshua D. Drake



>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
>                http://www.postgresql.org/docs/faq

--   === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240  Providing the most comprehensive  PostgreSQL
solutionssince 1997            http://www.commandprompt.com/