According to release notes of 8.3.18 (yeah, old docs) a trigger runs with the the table owner permission. This is the only document I found about this matter: http://www.postgresql.org/docs/8.3/static/release-8-3-18.html Require execute permission on the trigger function for CREATE TRIGGER (Robert Haas) This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866) But, while I'd need this to be true, I can't confirm this is the case. Did I misinterpret the note above ? --strk; http://strk.keybit.net -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
