Re: Anyone can create tables!

Thanks Tom. Actually its kinda holding me off really bad. I would like to
switch to mysql, but I still feel confident in pgsql to stay. One fellow on
irc I talked with mentioned the possibilty of creating a trigger on the
internal pgsql tables to restrict adding or creating anything. I just think
its very bad for me to consider opening my db to the world with that kind of
access open to the public. Would be like hotmail allowing unlimited email
size. You get my idea anyways Im sure.

Curious, would this idea of using triggers actually work? I mean heck, all I
really think we need is a system where if you dont own the table, you cant
add to anything that doesnt already exist. I just dont see how hard this is.
Oh well, thanks for the reply. I hope it comes soon so I can start deploying
some db's. Thanks

Dan McGrath

Tom Lane wrote:

> Dan McGrath <dmcgrath19@home.com> writes:
> > Any user with access to a database on my system that isnt the
> > owner still has the ability to create tables (and possibly functions,
> > views etc.) with no aparent limits. Is this a design flaw or a bug or
> > perhaps just something you guys havent got around to fixing yet?
>
> There is no concept of database-level privileges in Postgres, other than
> the right to connect to a DB in the first place (which is recorded and
> enforced completely outside the database system itself).
>
> As near as I can tell, the SQL standard doesn't have any such concept
> either, although it does have some notion of privileges associated with
> schemas.  We don't support schemas yet, but hope to soon.
>
> The privilege system in Postgres does badly need to be overhauled and
> brought up to SQL spec compliance, but I dunno when that will happen
> exactly.  It probably doesn't make sense to worry about it until we
> have schema support, since otherwise there's no clear mapping of the SQL
> model to Postgres...
>
>                         regards, tom lane