You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/current/v24.3/create-function.md
+68-57Lines changed: 68 additions & 57 deletions
Original file line number
Diff line number
Diff line change
@@ -294,77 +294,88 @@ The preceding example modifies a given `name` value and returns the `NEW` [trigg
294
294
295
295
The following example defines a function using the `SECURITY DEFINER` clause. This causes the function to execute with the privileges of the function owner.
296
296
297
-
Create two roles:
297
+
1.Create two roles:
298
298
299
-
{% include_cached copy-clipboard.html %}
300
-
~~~sql
301
-
CREATE ROLE owner;
302
-
CREATE ROLE invoker;
303
-
~~~
299
+
{% include_cached copy-clipboard.html %}
300
+
~~~sql
301
+
CREATE ROLE owner;
302
+
CREATE ROLE invoker;
303
+
~~~
304
304
305
-
Grant a [`SELECT` privilege]({% link {{ page.version.version }}/grant.md %}#supported-privileges) on the `user_promo_codes` table to the `owner` role.
305
+
1. Grant a [`SELECT` privilege]({% link {{ page.version.version }}/grant.md %}#supported-privileges) on the `user_promo_codes` table to the `owner` role.
306
306
307
-
{% include_cached copy-clipboard.html %}
308
-
~~~sql
309
-
GRANTSELECTON TABLE user_promo_codes TO owner;
310
-
~~~
307
+
{% include_cached copy-clipboard.html %}
308
+
~~~ sql
309
+
GRANTSELECTON TABLE user_promo_codes TO owner;
310
+
~~~
311
311
312
-
Set your role to `owner`.
312
+
1. Set your role to `owner`.
313
313
314
-
{% include_cached copy-clipboard.html %}
315
-
~~~sql
316
-
SET ROLE owner;
317
-
~~~
318
-
319
-
Create a simple `SECURITY DEFINER` function that reads the contents of `user_promo_codes`.
314
+
{% include_cached copy-clipboard.html %}
315
+
~~~ sql
316
+
SET ROLE owner;
317
+
~~~
320
318
321
-
{% include_cached copy-clipboard.html %}
322
-
~~~sql
323
-
CREATE OR REPLACEFUNCTIONget_codes()
324
-
RETURNS SETOF RECORD
325
-
LANGUAGE SQL
326
-
SECURITY DEFINER
327
-
AS $$
328
-
SELECT*FROM user_promo_codes;
329
-
$$;
330
-
~~~
319
+
1. Create a simple `SECURITY DEFINER` function that reads the contents of `user_promo_codes`.
331
320
332
-
Set your role to `invoker`.
321
+
{% include_cached copy-clipboard.html %}
322
+
~~~ sql
323
+
CREATE OR REPLACEFUNCTIONget_codes()
324
+
RETURNS SETOF RECORD
325
+
LANGUAGE SQL
326
+
SECURITY DEFINER
327
+
AS $$
328
+
SELECT*FROM user_promo_codes;
329
+
$$;
330
+
~~~
333
331
334
-
{% include_cached copy-clipboard.html %}
335
-
~~~sql
336
-
SET ROLE invoker;
337
-
~~~
332
+
1. Grant the [`EXECUTE` privilege]({% link {{ page.version.version }}/grant.md %}#supported-privileges) on the `get_codes` function to the `invoker` role.
338
333
339
-
`invoker` does not have the privileges to read the `user_promo_codes` table directly:
334
+
{% include_cached copy-clipboard.html %}
335
+
~~~ sql
336
+
GRANT EXECUTE ON FUNCTION get_codes() TO invoker;
337
+
~~~
340
338
341
-
{% include_cached copy-clipboard.html %}
342
-
~~~sql
343
-
SELECT*FROM user_promo_codes;
344
-
~~~
339
+
{{site.data.alerts.callout_info}}
340
+
This step is not necessary if the function is defined on the `public` schema, for which roles automatically have the `EXECUTE` privilege.
341
+
{{site.data.alerts.end}}
345
342
346
-
~~~
347
-
ERROR: user invoker does not have SELECT privilege on relation user_promo_codes
348
-
SQLSTATE: 42501
349
-
~~~
343
+
1. Set your role to `invoker`.
350
344
351
-
As `invoker`, you can call the `get_codes` function, since `SECURITY DEFINER` is executed with the privileges of the `owner` role:
345
+
{% include_cached copy-clipboard.html %}
346
+
~~~ sql
347
+
SET ROLE invoker;
348
+
~~~
352
349
353
-
{% include_cached copy-clipboard.html %}
354
-
~~~sql
355
-
SELECT get_codes();
356
-
~~~
350
+
1. `invoker` does not have the privileges to read the `user_promo_codes` table directly:
ERROR: user invoker does not have SELECT privilege on relation user_promo_codes
359
+
SQLSTATE: 42501
360
+
~~~
361
+
362
+
1. As`invoker`, call the `get_codes` function to read `user_promo_codes`, since `SECURITY DEFINER` is executed with the privileges of the `owner` role (i.e., `SELECT`on`user_promo_codes`).
Copy file name to clipboardExpand all lines: src/current/v25.1/create-function.md
+68-57Lines changed: 68 additions & 57 deletions
Original file line number
Diff line number
Diff line change
@@ -294,77 +294,88 @@ The preceding example modifies a given `name` value and returns the `NEW` [trigg
294
294
295
295
The following example defines a function using the `SECURITY DEFINER` clause. This causes the function to execute with the privileges of the function owner.
296
296
297
-
Create two roles:
297
+
1.Create two roles:
298
298
299
-
{% include_cached copy-clipboard.html %}
300
-
~~~sql
301
-
CREATE ROLE owner;
302
-
CREATE ROLE invoker;
303
-
~~~
299
+
{% include_cached copy-clipboard.html %}
300
+
~~~sql
301
+
CREATE ROLE owner;
302
+
CREATE ROLE invoker;
303
+
~~~
304
304
305
-
Grant a [`SELECT` privilege]({% link {{ page.version.version }}/grant.md %}#supported-privileges) on the `user_promo_codes` table to the `owner` role.
305
+
1. Grant a [`SELECT` privilege]({% link {{ page.version.version }}/grant.md %}#supported-privileges) on the `user_promo_codes` table to the `owner` role.
306
306
307
-
{% include_cached copy-clipboard.html %}
308
-
~~~sql
309
-
GRANTSELECTON TABLE user_promo_codes TO owner;
310
-
~~~
307
+
{% include_cached copy-clipboard.html %}
308
+
~~~ sql
309
+
GRANTSELECTON TABLE user_promo_codes TO owner;
310
+
~~~
311
311
312
-
Set your role to `owner`.
312
+
1. Set your role to `owner`.
313
313
314
-
{% include_cached copy-clipboard.html %}
315
-
~~~sql
316
-
SET ROLE owner;
317
-
~~~
318
-
319
-
Create a simple `SECURITY DEFINER` function that reads the contents of `user_promo_codes`.
314
+
{% include_cached copy-clipboard.html %}
315
+
~~~ sql
316
+
SET ROLE owner;
317
+
~~~
320
318
321
-
{% include_cached copy-clipboard.html %}
322
-
~~~sql
323
-
CREATE OR REPLACEFUNCTIONget_codes()
324
-
RETURNS SETOF RECORD
325
-
LANGUAGE SQL
326
-
SECURITY DEFINER
327
-
AS $$
328
-
SELECT*FROM user_promo_codes;
329
-
$$;
330
-
~~~
319
+
1. Create a simple `SECURITY DEFINER` function that reads the contents of `user_promo_codes`.
331
320
332
-
Set your role to `invoker`.
321
+
{% include_cached copy-clipboard.html %}
322
+
~~~ sql
323
+
CREATE OR REPLACEFUNCTIONget_codes()
324
+
RETURNS SETOF RECORD
325
+
LANGUAGE SQL
326
+
SECURITY DEFINER
327
+
AS $$
328
+
SELECT*FROM user_promo_codes;
329
+
$$;
330
+
~~~
333
331
334
-
{% include_cached copy-clipboard.html %}
335
-
~~~sql
336
-
SET ROLE invoker;
337
-
~~~
332
+
1. Grant the [`EXECUTE` privilege]({% link {{ page.version.version }}/grant.md %}#supported-privileges) on the `get_codes` function to the `invoker` role.
338
333
339
-
`invoker` does not have the privileges to read the `user_promo_codes` table directly:
334
+
{% include_cached copy-clipboard.html %}
335
+
~~~ sql
336
+
GRANT EXECUTE ON FUNCTION get_codes() TO invoker;
337
+
~~~
340
338
341
-
{% include_cached copy-clipboard.html %}
342
-
~~~sql
343
-
SELECT*FROM user_promo_codes;
344
-
~~~
339
+
{{site.data.alerts.callout_info}}
340
+
This step is not necessary if the function is defined on the `public` schema, for which roles automatically have the `EXECUTE` privilege.
341
+
{{site.data.alerts.end}}
345
342
346
-
~~~
347
-
ERROR: user invoker does not have SELECT privilege on relation user_promo_codes
348
-
SQLSTATE: 42501
349
-
~~~
343
+
1. Set your role to `invoker`.
350
344
351
-
As `invoker`, you can call the `get_codes` function, since `SECURITY DEFINER` is executed with the privileges of the `owner` role:
345
+
{% include_cached copy-clipboard.html %}
346
+
~~~ sql
347
+
SET ROLE invoker;
348
+
~~~
352
349
353
-
{% include_cached copy-clipboard.html %}
354
-
~~~sql
355
-
SELECT get_codes();
356
-
~~~
350
+
1. `invoker` does not have the privileges to read the `user_promo_codes` table directly:
ERROR: user invoker does not have SELECT privilege on relation user_promo_codes
359
+
SQLSTATE: 42501
360
+
~~~
361
+
362
+
1. As`invoker`, call the `get_codes` function to read `user_promo_codes`, since `SECURITY DEFINER` is executed with the privileges of the `owner` role (i.e., `SELECT`on`user_promo_codes`).
0 commit comments