Re: lastval exposes information that currval does not

Tom Lane wrote:

>Alvaro Herrera <alvherre@commandprompt.com> writes:
>  
>
>>What we should really do is have lastval() fail if the user does not
>>have appropiate permissions on the schema.  Having it not fail is a bug,
>>and documenting a bug turns it not into a feature, but into a "gotcha".
>>    
>>
>
>I'm unconvinced that it's either a bug or a gotcha.  lastval doesn't
>tell you which sequence it's giving you a value from, so I don't really
>see the reasoning for claiming that there's a security hole.  Also,
>*at the time you did the nextval* you did have permissions.  Does anyone
>really think that a bad guy can't just remember the value he got?
>lastval is merely a convenience.
>
>
>  
>

Is that true even if it was called by a security definer function?

I too don't think that the security danger of knowing the value of a 
(possibly unknown) sequence is very high, but that's another argument.

cheers

andrew