From f8a54e936bdf4c31b395a2ab7d7bc98eefa6dbad Mon Sep 17 00:00:00 2001
From: Robert Haas <rhaas@postgresql.org>
Date: Fri, 12 Apr 2013 08:55:56 -0400
Subject: sepgsql: Enforce db_procedure:{execute} permission.

To do this, we add an additional object access hook type,
OAT_FUNCTION_EXECUTE.

KaiGai Kohei
---
 doc/src/sgml/sepgsql.sgml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/sepgsql.sgml b/doc/src/sgml/sepgsql.sgml
index 0a2ee86a111..2cdbe9de43b 100644
--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
@@ -393,8 +393,11 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
    </para>
 
    <para>
-    For functions, <literal>db_procedure:{execute}</> is defined, but is not
-    checked in this version.
+    For functions, <literal>db_procedure:{execute}</> will be checked when
+    user tries to execute a function as a part of query, or using fast-path
+    invocation. If this function is a trusted procedure, it also checks
+    <literal>db_procedure:{entrypoint}</> permission to check whether it
+    can perform as entrypoint of trusted procedure.
    </para>
 
    <para>
-- 
cgit v1.2.3