> -----Original Message-----
> From: Dave Page [mailto:dpage@vale-housing.co.uk]
> Sent: Wednesday, March 16, 2005 12:06 PM
> To: Merlin Moncure
> Cc: pgadmin-hackers@postgresql.org
> Subject: RE: [pgadmin-hackers] prevent users from seeing pl/pgsql code
in
> pgadmin
>
>
>
> > -----Original Message-----
> > From: Merlin Moncure [mailto:merlin.moncure@rcsonline.com]
> > Sent: 16 March 2005 16:54
> > To: Dave Page
> > Cc: pgadmin-hackers@postgresql.org
> > Subject: RE: [pgadmin-hackers] prevent users from seeing
> > pl/pgsql code in pgadmin
> >
> > > > I also tried hacking the search path and putting a pg_proc table
> > into
> > > > the public schema. While this fixed select * from pg_proc
> > > > (but not /df),
> > > > pgAdmin still pulled the function source.
> > >
> > > Odd - it didn't here. Every query on pg_proc resulted in a
> > message box
> > > telling me it couldn't select from pg_proc - protecting the
source,
> > but
> > > breaking pgAdmin.
> >
> > What did you do exactly? Here's what I tried:
>

Ah. Ok, yes this certainly breaks pgAdmin. And true function code
protection on the server side seems pretty nasty without some serious
hacking.

What about this: do think pgAdmin should prevent rendering the sql code
for various database schema objects (but especially functions) if the
pgAdmin user does not have appropriate access to that object?

For example, if user does not have the 'execute' permission, disable sql
render of the function object. I think this is pretty reasonable from a
security standpoint until such time that the server gets this
capability.

Merlin

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly