Re: Problem with delete trigger: how to allow only triggers to delete a row?

On Friday 10 October 2008 11:25:05 am Christopher Maier wrote:
> On Oct 10, 2008, at 2:05 PM, Alvaro Herrera wrote:
> > Looks like you should revoke DELETE privilege from plain users, and
> > have your delete trigger be a security definer function.  There
> > would be
> > another security definer function to delete non-deduced rows which
> > users
> > can call directly.
>
> Thanks, Alvaro.  So you're suggesting I create a function like this:
>
> CREATE FUNCTION user_delete(identifier my_table.id%TYPE) RETURNS VOID
> LANGUAGE plpgsql SECURITY DEFINER AS $$
> BEGIN
>     ...
>     -- do various checks
>     ...
>     DELETE FROM my_table WHERE id = identifier;
>     ...
> END;
> $$;
>
> Correct?  That sounds like it would work.  If at all possible, I'd
> like to keep the "interface" the same for all my tables, though (i.e.,
> users don't have to be concerned with whether they can do regular SQL
> deletes, or if they have to call a special function).  I suppose that
> can ultimately be hidden, though.
>
> I will try this approach and see how it works out.  If there is any
> other way to achieve this goal, however, I would be interested to hear.
>
> Thanks again.
>
> --Chris

A possible approach, not fully tested.
REVOKE DELETE from normal users as suggested above.
GRANT DELETE to privileged_user

Semi psuedo-code below.

CREATE OR REPLACE FUNCTION  check_delete RETURNS TRIGGER AS 
$Body$
BEGINIF current_user != 'privileged_user' AND old.deduced = 'f' THEN    SET LOCAL ROLE  'privileged_user';    --Do your
sanitychecks and create DELETE statements    RETURN OLD;ELSIF current_user != 'privileged_user' AND old.deduced ='t'
THEN   RETURN NULL;ELSIF current_user = 'priviliged_user' THEN    RETURN OLD
 


END;

$Body$
LANGUAGE plpgsql;
-- 
Adrian Klaver
aklaver@comcast.net