> adrian.klaver@xxxxxxxxxxx wrote: > >> bryn@xxxxxxxxxxxx wrote: >> >> Anyway, all this is moot (except in that thinking about it helps me to enrich my mental model) because the privilege notions here will never change. > > So, I want it but not really. I’d rather say “I’d very much prefer it if I had it. But, because I don’t, I will have to write a comment essay to explain what tests might show and why these outcomes that might seem worrisome at first sight can be seen, after an exercise of reasoning, to be harmless. I’m not a fan of that kind of essay writing. But I’ll do it if I have to. >> Yes I have actually done this. But rigorous testing remains to be done... The point (conforming to the principle of least privilege) is that sessions that connect as "client" must not be allowed to do arbitrary SQL. Rather, they should be able to do only what has been explicitly "white-listed" in by the encapsulation provided by the API-defining subprograms. > > All right that I get. Good. I’m relieved that you haven’t (yet) spotted a flaw in my scheme.
