Owner user is a bit over-capable

Question

Opened this issue 8 years ago · 1 comments

Schemaverse requires (there are several references inside pl/pgsql code) that the "owner" user be called 'schemaverse', and that it be a superuser.

I'd somewhat like for neither to be required.

round_control() runs COPY to dump out data to a file, and that mandates SUPERUSER. This is likely not the right way to do this; a psql script could request \COPY with more pedestrian permissions. You'd absolutely not be allowed to run this on a Heroku instance, by the way.
round_control() does a bunch of trigger disables, specifying ALL triggers, not just USER triggers. It may suffice to just do USER trigger disabling.

Answer 1 · 2016-06-19T14:01:25.000Z

I'm not against these changes at all. It was done for two reasons originally 1) laziness, and 2) larger attack vector for the Defcon tournaments.