On Mon, Dec 15, 2008 at 9:38 PM, Klint Gore <kgore4@xxxxxxxxxx> wrote: > Andreas wrote: >> >> I'd like to have a view only to be used by certain users. >> The tables are public. >> >> Can this only be done by restricting access to the tables? >> > > GRANT/REVOKE works on views > revoke all on aview from public; > grant select on aview to user1; > > As Raymond pointed out, if user2 knows what the definition of aview is, they > can just run it against the raw tables. > e.g. > create view aview as select * from pg_proc; > revoke all on aview from public; > grant select on aview to user1; > set session authorization user2; > select * from aview; -- fails > select * from pg_proc; -- works and gives the same result Yes, but: * you can still \d the view (or \d equivalent in sql) which shows it's definition * if you can \d view, you can 'create temporary view' with the same definition on public tables what does this get you? merlin -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
