Hello everyone,<br /><br />I am developping a web service where some tables are handling the data of different clients.
Dependingon configured rights, one client can have no access, or read access, or read and write access to other clients
data.<br/><br />In order to handle that, I am using views and, to ensure that a client cannot access data outside the
view,all clients info is stored in a table where its postgresql user name is also stored. So, in order to limit access
ofview, I am using the postgresql special function "current_user()" and I am retrieving the id of my client like
this.<br/><br />My problem is that I am not sure this is a good idea in term of performance (which is a big issue in my
case).My main fears are that :<br /> - The use of the"current_user()" function would slow the complete request<br />
- My method requests that each user has its own postgresql user. But, in this case, my web server needs to establish
apostgresql connection for each user, which will maybe cause problems.<br /><br />So, I was guessing if I was not
completelywrong by doing like that. Maybe is there a simpler way of doing what I try to do ? Or maybe am I a little bit
tooparanoïde, and maybe should I handle all my clients with a single postgresql user, handling all safety aspect in my
phpscript ?<br /><br />The advantage of my method is that, even if there is a bug in my php script, if the db views are
properlyconfigured, a malicious client cannot alter the data ofanother client for which he does not have write access.
Butmaybe is it not a good idea to handle this at db level ?<br /><br />Do you have any suggestion on those aspects?<br
/><br/>Regards,<br /><br />Brice André<br />