> > Would that solve the problem? Maybe not because you would have to rip
> > apart the plan, wouldn't you?
> >
> > --
> > Bruce Momjian | 830 Blythe Avenue
>
> I checked it. It's all already there. The rewrite handler
> checks for all the range table entries he adds to the query,
> if the rule owner has the appropriate permissions
> (read/write). And it sets the skipAcl field for these rte's
> so the executor later will ignore them.
>
> The only thing missing is that CREATE VIEW and CREATE RULE
> require write access to pg_rewrite (create view does a create
> table and create rule internally). But we cannot grant write
> access on pg_rewrite to looser users. So I think a global
> variable, turning off the whole ACL system temporary, would
> do.
I understand. We don't have APPEND rights separate from MODIFY rights.
Actually, I think they are defined in the system, but not used. We have
a similar problem with pg_database. People who can create databases can
remove other database entries from pg_database.
--
Bruce Momjian | 830 Blythe Avenue
maillist@candle.pha.pa.us | Drexel Hill, Pennsylvania 19026
+ If your life is a hard drive, | (610) 353-9879(w)
+ Christ can be your backup. | (610) 853-3000(h)