On Tue, Mar 14, 2006 at 09:24:52AM +0100, Paul Mackay wrote: > It seems that any user has the right to execute a function, whether or not > it has been granted the EXECUTE privilege on it. Even a REVOKE EXECUTE has > no impact. A privilige error will be raised only if the function tries to > access an object (ex.: a table) for witch the user doesn't have the > appropriate privilege(s). Revoking EXECUTE from an individual user has no effect if public still has privileges, which is does by default. > Is there any utility to the GRANT EXECUTE then ? If you revoke public's privileges then GRANT EXECUTE has an effect. test=> create function foo() returns integer as 'select 1' language sql; CREATE FUNCTION test=> revoke all on function foo() from public; REVOKE test=> grant execute on function foo() to user1; GRANT test=> \c - user1 You are now connected as new user "user1". test=> select foo(); foo ----- 1 (1 row) test=> \c - user2 You are now connected as new user "user2". test=> select foo(); ERROR: permission denied for function foo -- Michael Fuhr
