is_claims_admin incorrectly false in functions with SECURITY DEFINER set
kav opened this issue · 1 comments
kav commented
Create a function as follows:
CREATE OR REPLACE FUNCTION public.security_definer() RETURNS bool AS $$
BEGIN
RETURN is_claims_admin();
END
$$ LANGUAGE plpgsql SECURITY DEFINER;Calling this function ignores security definer and reports false for calls originating from javascript users without claims admin. This is problematic when a change from javascript triggers functions that should use DEFINER permissions.
kav commented
Looking more closely this is going to be more complex as set_claims runs as definer...