Hi. I was led to believe (by an hallucination...) that I could know the current_role of the caller of a DEFINER function, but after actual experimentation, turns out it shows the OWNER of the function, and not the current_role of the caller. I foolishly thought curent_role != current_user inside the DEFINER function, but reading back the doc, it's clear current_role = current_user = user, thus that was wishful thinking. Only session_user is representative of the caller, and reliable (modulo SUPERUSER and SET AUTHORIZATION, but that's a different story and kinda normal) So I have two questions: 1) Is there any way to know the current_role of the caller of a DEFINER function. I fear the answer is no, but better be sure from experts here. 2) Why isn't there a way to obtain the above? What harm would it be? Obviously for #2, distinguishing current_role from current_user inside DEFINER is a no-go, for backward compatibility. But could a new variable be invented for that? What obvious technical reason I'm missing would make that harmful or difficult? As to the use-case, now that I have a queue mechanism for tasks to be delegated to services, I need to make sure the poster of the task has the right privileges, so I wanted to capture session_user and current_role of the "poster", and the service would use that info, reliably captured (inside the DEFINER function to post a task), using ROLEs and GRANTs and other app-specific permission data. LOGIN users have different persona in the system, so the current_role matters, to determine whether the connection posting the task to be processed asynchronously by a service is allowed or not. I'd think I'm not the only one that would need something like this, no? Thanks, --DD
