Re: When and where to check for function permissions

Peter Eisentraut <peter_e@gmx.net> writes:
> Now I remembered the way SQL99 specifies
> function resolution, which has the permission check before the function
> resolution begins.

That may be what the spec says, but I think the spec is completely
brain-dead in this regard and should be ignored.  We do not resolve
table names that way, why should we resolve function names?

Even more to the point, what happens when someone adds or revokes
privileges that would affect already-planned queries?  If I can still
call a function that is referenced by an already-planned query even
though the function's owner has revoked my right to do so, that is a
bug.  On the other hand, if the query continues to "work" but silently
calls a different function than I was expecting, that's not cool either.

We did some nontrivial work awhile back to ensure that table privileges
would be checked at execution time and not before.  Function privileges
*must* be handled the same way.
        regards, tom lane