Bruce Momjian <bruce@momjian.us> writes:
> I think we have to keep the non-SECURITY-DEFINER designation to keep the
> text accurate, but you are right it is part of the function, not the
> trigger:
> Execute deferred constraint triggers attached to
> non-SECURITY-DEFINER functions as the role that was active at
> the time the trigger was fired
> Previously such triggers were run as the role that was active at
> commit/execution time.
> As you can see, this is going to be hard to read, and I don't know if a
> sufficient number of people will care.
It's still inaccurate -- to my mind, a "deferred" trigger is one that
runs later than the end of the triggering statement. I think you
should use "after trigger". Also, "fired" is a fairly confusing
choice of word here; I think most people would take that as meaning
the act of running the trigger. How about
Execute AFTER triggers as the role that was active at the
moment the trigger event was queued
Previously such triggers were run as the role that is active
when it is time to execute the trigger (e.g., at COMMIT).
I concur that this needs to be called out as an incompatibility.
regards, tom lane
