Re: LISTEN/NOTIFY Security and the docs

On Fri, May 18, 2012 at 5:08 PM, Chander Ganesan <chander@otg-nc.com> wrote:
> Hi All,
>
> I just realized that anyone can listen for notifications (using listen) so
> long as they know the "channel" name.  This means that a user could receive
> and view the payload for another user.
>
> Perhaps it would be good to note this in the documentation (i.e., there
> should be no expectation of privacy/security when using listen/notify, so
> any user that can connect to a database could issue and receive
> notifications for any channel.)

Might be worth a note, yes. The lack of a note really should tell you
that it's a broadcast, but it wouldn't hurt to have an extra one.

Want to prepare a patch?

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/