Re: Accessing serials through rules

Rick Delaney <rick@consumercontact.com> writes:
> With rules, I can allow people to insert into a table that they don't
> otherwise have access to.  And default values seem to get inserted fine
> except when the field is type serial (and the default is from a
> sequence).  Then you get write permission errors on the associated
> sequence.  Should it be like this?

Probably not, but I don't see any reasonable way to fix it at the
moment.  The sequence function's access to the sequence isn't part
of the rule's rangetable and so is not subject to the permission
adjustments that happen for the rule.  More generally, an SQL or PLPGSQL
function invoked by a rule would also be executed with the current
user's permissions, not the rule owner's.  That might or might not be
what you want, but in any case it's quite difficult to change.

We need a rather thoroughgoing redesign of the permissions mechanism
in Postgres, and I guess this is something we'll need to consider when
that happens.

            regards, tom lane