Michal Špondr
Reputation: 1535
Revoke execute privileges on insertion functions in PostgreSQL
I have database with role viewer:
CREATE ROLE viewer WITH NOSUPERUSER NOCREATEDB NOCREATEROLE;
and also database schema called i (as for interface). There are insert functions in schema i, i.e.:
SELECT * FROM i.insert_machine(1,2,3);
inserts new row in table data.machine. There are some non-insertion functions, too, e.g. i.error_table(integer) which should be allowed to execute by user viewer. Grant options are:
GRANT USAGE ON SCHEMA i TO viewer;
GRANT SELECT ON ALL TABLES IN SCHEMA i TO viewer;
I want to forbid user viewer to call these insert_* methods. How should I do it? If I try both:
REVOKE ALL ON FUNCTION i.insert_machine(int, int, int) FROM viewer;
REVOKE EXECUTE ON FUNCTION i.insert_machine(int, int, int) FROM viewer;
I am still able to run this method and get result.
Upvotes: 2
Views: 2349
Answers (2)
Michal Špondr
Reputation: 1535
I think I've find it out. I have to revoke execute rights from public and opt-in only specific roles:
REVOKE EXECUTE ON FUNCTION i.insert_machine(integer, integer, integer) FROM public;
GRANT EXECUTE ON FUNCTION i.insert_machine(integer, integer, integer) TO writer;
Upvotes: 4
Łukasz Kamiński
Reputation: 5930
Change owner to different role. It must be eventviewer at the moment.
Upvotes: 0
Related Questions
- PostgreSQL revoke privileges from column
- PostgreSQL - DB user should only be allowed to call functions
- Postgres: How Can a Role Both Have INSERT Permissions and Not?
- How to revoke administrator functions for specific user while create postgres user
- How to Revoke Execute Privileges on Functions in PostgreSQL by Default
- postgresql privileges Ensuring inserts are only done through functions
- PostgreSQL: hide table INSERT UPDATE DELETE behind a function
- How can I grant & revoke specific rights from Postgresql users?
- Revoke permissions on PostgreSQL
- Grant EXECUTE to many PostGIS functions