Re: Ignoring the limited user-rights by using ODBC

[Marko Ristola <marko(dot)ristola(at)kolumbus(dot)fi>]

I remember from some other databases, that
the schema is not for security. It is for application
logic:

If you have marko.branch and users.branch
tables, you can link to both by

select * from marko.branch
union
select * from users.branch

You can revoke rights from the tables with the following commands:
revoke all from marko on marko.branch;
revoke all from marko on users.branch;
After these, "marko" user is not able to read, or write into the tables.

You can play with the schema like this with ODBC:

set search_path to marko,public; -- the new schema is "marko"
select * from branch; /* points into marko.branch */
set search_path to users,public;
select * from branch; /* points into users.branch */

Read or write rights (grant/revoke) for the table and
visibility (naming, search path, namespace, schema) of the table
name are a different thing.


Marko Ristola

Peter Eisentraut wrote:

> Goeke, Tobias wrote:
>  
>
> > If i connect to the database via obdc with this user, all schemes are
> > shown. So i am able to select all the tables and views e.g. in excel,
> > although the user isn't autorized.
> >    
>
> It is not possible that the ODBC driver can circumvent privileges that 
> would otherwise apply.  Please provide a detailed way to reproduce your 
> problem.
>
> Note that what the \d commands in psql show does not necessarily define 
> the scope of a user's access privileges.  It merely shows what might be 
> of interest to the user.
>
>