10 files changed, 172 insertions, 90 deletions

diff --git a/src/backend/access/transam/xact.c b/src/backend/access/transam/xact.c
index f5a73caddba..d2ec35a7bae 100644
--- a/src/backend/access/transam/xact.c
+++ b/src/backend/access/transam/xact.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/access/transam/xact.c,v 1.195.4.3 2007/05/30 21:02:02 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/access/transam/xact.c,v 1.195.4.4 2008/01/03 21:25:00 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -117,7 +117,8 @@ typedef struct TransactionStateData
 												 * context */
 	ResourceOwner curTransactionOwner;	/* my query resources */
 	List	   *childXids;		/* subcommitted child XIDs */
-	AclId		currentUser;	/* subxact start current_user */
+	AclId		prevUser;		/* previous CurrentUserId setting */
+	bool		prevSecDefCxt;	/* previous SecurityDefinerContext setting */
 	bool		prevXactReadOnly;		/* entry-time xact r/o state */
 	struct TransactionStateData *parent;		/* back link to parent */
 } TransactionStateData;
@@ -149,7 +150,8 @@ static TransactionStateData TopTransactionStateData = {
 	NULL,						/* cur transaction context */
 	NULL,						/* cur transaction resource owner */
 	NIL,						/* subcommitted child Xids */
-	0,							/* entry-time current userid */
+	0,							/* previous CurrentUserId setting */
+	false,						/* previous SecurityDefinerContext setting */
 	false,						/* entry-time xact r/o state */
 	NULL						/* link to parent state block */
 };
@@ -1390,18 +1392,14 @@ StartTransaction(void)
 
 	/*
 	 * initialize current transaction state fields
+	 *
+	 * note: prevXactReadOnly is not used at the outermost level
 	 */
 	s->nestingLevel = 1;
 	s->childXids = NIL;
-
-	/*
-	 * You might expect to see "s->currentUser = GetUserId();" here, but
-	 * you won't because it doesn't work during startup; the userid isn't
-	 * set yet during a backend's first transaction start.  We only use
-	 * the currentUser field in sub-transaction state structs.
-	 *
-	 * prevXactReadOnly is also valid only in sub-transactions.
-	 */
+	GetUserIdAndContext(&s->prevUser, &s->prevSecDefCxt);
+	/* SecurityDefinerContext should never be set outside a transaction */
+	Assert(!s->prevSecDefCxt);
 
 	/*
 	 * initialize other subsystems for new transaction
@@ -1652,17 +1650,16 @@ AbortTransaction(void)
 	AtAbort_ResourceOwner();
 
 	/*
-	 * Reset user id which might have been changed transiently.  We cannot
-	 * use s->currentUser, but must get the session userid from
-	 * miscinit.c.
+	 * Reset user ID which might have been changed transiently.  We need this
+	 * to clean up in case control escaped out of a SECURITY DEFINER function
+	 * or other local change of CurrentUserId; therefore, the prior value
+	 * of SecurityDefinerContext also needs to be restored.
 	 *
-	 * (Note: it is not necessary to restore session authorization here
-	 * because that can only be changed via GUC, and GUC will take care of
-	 * rolling it back if need be.	However, an error within a SECURITY
-	 * DEFINER function could send control here with the wrong current
-	 * userid.)
+	 * (Note: it is not necessary to restore session authorization
+	 * setting here because that can only be changed via GUC, and GUC will
+	 * take care of rolling it back if need be.)
 	 */
-	SetUserId(GetSessionUserId());
+	SetUserIdAndContext(s->prevUser, s->prevSecDefCxt);
 
 	/*
 	 * do abort processing
@@ -3395,6 +3392,12 @@ AbortSubTransaction(void)
 	AtSubAbort_ResourceOwner();
 
 	/*
+	 * Reset user ID which might have been changed transiently.  (See notes
+	 * in AbortTransaction.)
+	 */
+	SetUserIdAndContext(s->prevUser, s->prevSecDefCxt);
+
+	/*
 	 * We can skip all this stuff if the subxact failed before creating
 	 * a ResourceOwner...
 	 */
@@ -3447,22 +3450,6 @@ AbortSubTransaction(void)
 	}
 
 	/*
-	 * Reset user id which might have been changed transiently.  Here we
-	 * want to restore to the userid that was current at subxact entry.
-	 * (As in AbortTransaction, we need not worry about the session
-	 * userid.)
-	 *
-	 * Must do this after AtEOXact_GUC to handle the case where we entered
-	 * the subxact inside a SECURITY DEFINER function (hence current and
-	 * session userids were different) and then session auth was changed
-	 * inside the subxact.	GUC will reset both current and session
-	 * userids to the entry-time session userid.  This is right in every
-	 * other scenario so it seems simplest to let GUC do that and fix it
-	 * here.
-	 */
-	SetUserId(s->currentUser);
-
-	/*
 	 * Restore the upper transaction's read-only state, too.  This should
 	 * be redundant with GUC's cleanup but we may as well do it for
 	 * consistency with the commit case.
@@ -3516,13 +3503,6 @@ PushTransaction(void)
 {
 	TransactionState p = CurrentTransactionState;
 	TransactionState s;
-	AclId	currentUser;
-
-	/*
-	 * At present, GetUserId cannot fail, but let's not assume that.  Get
-	 * the ID before entering the critical code sequence.
-	 */
-	currentUser = GetUserId();
 
 	/*
 	 * We keep subtransaction state nodes in TopTransactionContext.
@@ -3553,7 +3533,7 @@ PushTransaction(void)
 	s->savepointLevel = p->savepointLevel;
 	s->state = TRANS_DEFAULT;
 	s->blockState = TBLOCK_SUBBEGIN;
-	s->currentUser = currentUser;
+	GetUserIdAndContext(&s->prevUser, &s->prevSecDefCxt);
 	s->prevXactReadOnly = XactReadOnly;
 
 	CurrentTransactionState = s;
diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c
index 45c14da8e21..1e9b6367924 100644
--- a/src/backend/catalog/index.c
+++ b/src/backend/catalog/index.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/catalog/index.c,v 1.244.4.2 2007/11/08 23:23:14 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/catalog/index.c,v 1.244.4.3 2008/01/03 21:25:00 tgl Exp $
  *
  *
  * INTERFACE ROUTINES
@@ -1323,6 +1323,8 @@ index_build(Relation heapRelation,
 			IndexInfo *indexInfo)
 {
 	RegProcedure procedure;
+	AclId		save_userid;
+	bool		save_secdefcxt;
 
 	/*
 	 * sanity checks
@@ -1334,12 +1336,22 @@ index_build(Relation heapRelation,
 	Assert(RegProcedureIsValid(procedure));
 
 	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(heapRelation->rd_rel->relowner, true);
+
+	/*
 	 * Call the access method's build procedure
 	 */
 	OidFunctionCall3(procedure,
 					 PointerGetDatum(heapRelation),
 					 PointerGetDatum(indexRelation),
 					 PointerGetDatum(indexInfo));
+
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 }
 
 
diff --git a/src/backend/commands/analyze.c b/src/backend/commands/analyze.c
index e188f7297d5..91a0cc05b35 100644
--- a/src/backend/commands/analyze.c
+++ b/src/backend/commands/analyze.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.80 2004/12/31 21:59:41 pgsql Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/analyze.c,v 1.80.4.1 2008/01/03 21:25:00 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -110,6 +110,8 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 				numrows;
 	double		totalrows;
 	HeapTuple  *rows;
+	AclId		save_userid;
+	bool		save_secdefcxt;
 
 	if (vacstmt->verbose)
 		elevel = INFO;
@@ -200,6 +202,13 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 					RelationGetRelationName(onerel))));
 
 	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(onerel->rd_rel->relowner, true);
+
+	/*
 	 * Determine which columns to analyze
 	 *
 	 * Note that system attributes are never analyzed.
@@ -309,11 +318,7 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 	 * Quit if no analyzable columns
 	 */
 	if (attr_cnt <= 0 && !analyzableindex)
-	{
-		vac_close_indexes(nindexes, Irel, AccessShareLock);
-		relation_close(onerel, AccessShareLock);
-		return;
-	}
+		goto cleanup;
 
 	/*
 	 * Determine how many rows we need to sample, using the worst case
@@ -426,6 +431,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 		}
 	}
 
+	/* We skip to here if there were no analyzable columns */
+cleanup:
+
 	/* Done with indexes */
 	vac_close_indexes(nindexes, Irel, NoLock);
 
@@ -435,6 +443,9 @@ analyze_rel(Oid relid, VacuumStmt *vacstmt)
 	 * entries we made in pg_statistic.)
 	 */
 	relation_close(onerel, NoLock);
+
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 }
 
 /*
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 575061cd361..49e931013a5 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.27 2004/12/31 21:59:41 pgsql Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/schemacmds.c,v 1.27.4.1 2008/01/03 21:25:00 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -46,9 +46,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	const char *owner_name;
 	AclId		owner_userid;
 	AclId		saved_userid;
+	bool		saved_secdefcxt;
 	AclResult	aclresult;
 
-	saved_userid = GetUserId();
+	GetUserIdAndContext(&saved_userid, &saved_secdefcxt);
 
 	/*
 	 * Figure out user identities.
@@ -71,7 +72,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 		 * (This will revert to session user on error or at the end of
 		 * this routine.)
 		 */
-		SetUserId(owner_userid);
+		SetUserIdAndContext(owner_userid, true);
 	}
 	else
 	{
@@ -151,7 +152,7 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	PopSpecialNamespace(namespaceId);
 
 	/* Reset current user */
-	SetUserId(saved_userid);
+	SetUserIdAndContext(saved_userid, saved_secdefcxt);
 }
 
 
diff --git a/src/backend/commands/vacuum.c b/src/backend/commands/vacuum.c
index cd81adb172a..273c79a2fab 100644
--- a/src/backend/commands/vacuum.c
+++ b/src/backend/commands/vacuum.c
@@ -13,7 +13,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.299.4.2 2007/03/14 18:49:18 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/vacuum.c,v 1.299.4.3 2008/01/03 21:25:00 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -883,6 +883,8 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 	LockRelId	onerelid;
 	Oid			toast_relid;
 	bool		result;
+	AclId		save_userid;
+	bool		save_secdefcxt;
 
 	/* Begin a transaction for vacuuming this relation */
 	StartTransactionCommand();
@@ -998,6 +1000,14 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 	toast_relid = onerel->rd_rel->reltoastrelid;
 
 	/*
+	 * Switch to the table owner's userid, so that any index functions are
+	 * run as that user.  (This is unnecessary, but harmless, for lazy
+	 * VACUUM.)
+	 */
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(onerel->rd_rel->relowner, true);
+
+	/*
 	 * Do the actual work --- either FULL or "lazy" vacuum
 	 */
 	if (vacstmt->full)
@@ -1007,6 +1017,9 @@ vacuum_rel(Oid relid, VacuumStmt *vacstmt, char expected_relkind)
 
 	result = true;				/* did the vacuum */
 
+	/* Restore userid */
+	SetUserIdAndContext(save_userid, save_secdefcxt);
+
 	/* all done with this class, but hold lock until commit */
 	relation_close(onerel, NoLock);
 
diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c
index b1d970b9ab0..2639a033f38 100644
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.105.4.3 2006/02/12 22:33:14 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/commands/variable.c,v 1.105.4.4 2008/01/03 21:25:00 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -656,6 +656,22 @@ assign_session_authorization(const char *value, bool doit, GucSource source)
 		/* not a saved ID, so look it up */
 		HeapTuple	userTup;
 
+		if (InSecurityDefinerContext())
+		{
+			/*
+			 * Disallow SET SESSION AUTHORIZATION inside a security definer
+			 * context.  We need to do this because when we exit the context,
+			 * GUC won't be notified, leaving things out of sync.  Note that
+			 * this test is positioned so that restoring a previously saved
+			 * setting isn't prevented.
+			 */
+			if (source >= PGC_S_INTERACTIVE)
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						 errmsg("cannot set session authorization within security-definer function")));
+			return NULL;
+		}
+
 		if (!IsTransactionState())
 		{
 			/*
diff --git a/src/backend/utils/adt/ri_triggers.c b/src/backend/utils/adt/ri_triggers.c
index 2577cdcd9b6..32925146f92 100644
--- a/src/backend/utils/adt/ri_triggers.c
+++ b/src/backend/utils/adt/ri_triggers.c
@@ -17,7 +17,7 @@
  *
  * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
  *
- * $PostgreSQL: pgsql/src/backend/utils/adt/ri_triggers.c,v 1.76.4.2 2007/08/15 19:16:12 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/adt/ri_triggers.c,v 1.76.4.3 2008/01/03 21:25:00 tgl Exp $
  *
  * ----------
  */
@@ -3000,7 +3000,8 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes,
 {
 	void	   *qplan;
 	Relation	query_rel;
-	AclId		save_uid;
+	AclId		save_userid;
+	bool		save_secdefcxt;
 
 	/*
 	 * The query is always run against the FK table except when this is an
@@ -3014,8 +3015,8 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes,
 		query_rel = fk_rel;
 
 	/* Switch to proper UID to perform check as */
-	save_uid = GetUserId();
-	SetUserId(RelationGetForm(query_rel)->relowner);
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(RelationGetForm(query_rel)->relowner, true);
 
 	/* Create the plan */
 	qplan = SPI_prepare(querystr, nargs, argtypes);
@@ -3024,7 +3025,7 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes,
 		elog(ERROR, "SPI_prepare returned %d for %s", SPI_result, querystr);
 
 	/* Restore UID */
-	SetUserId(save_uid);
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 
 	/* Save the plan if requested */
 	if (cache_plan)
@@ -3053,7 +3054,8 @@ ri_PerformCheck(RI_QueryKey *qkey, void *qplan,
 	Snapshot	crosscheck_snapshot;
 	int			limit;
 	int			spi_result;
-	AclId		save_uid;
+	AclId		save_userid;
+	bool		save_secdefcxt;
 	Datum		vals[RI_MAX_NUMKEYS * 2];
 	char		nulls[RI_MAX_NUMKEYS * 2];
 
@@ -3132,8 +3134,8 @@ ri_PerformCheck(RI_QueryKey *qkey, void *qplan,
 	limit = (expect_OK == SPI_OK_SELECT) ? 1 : 0;
 
 	/* Switch to proper UID to perform check as */
-	save_uid = GetUserId();
-	SetUserId(RelationGetForm(query_rel)->relowner);
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(RelationGetForm(query_rel)->relowner, true);
 
 	/* Finally we can run the query. */
 	spi_result = SPI_execute_snapshot(qplan,
@@ -3142,7 +3144,7 @@ ri_PerformCheck(RI_QueryKey *qkey, void *qplan,
 									  false, false, limit);
 
 	/* Restore UID */
-	SetUserId(save_uid);
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 
 	/* Check result */
 	if (spi_result < 0)
diff --git a/src/backend/utils/fmgr/fmgr.c b/src/backend/utils/fmgr/fmgr.c
index 086daede324..bd8a59a0a5c 100644
--- a/src/backend/utils/fmgr/fmgr.c
+++ b/src/backend/utils/fmgr/fmgr.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.88.4.2 2007/07/31 15:50:07 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/fmgr/fmgr.c,v 1.88.4.3 2008/01/03 21:25:00 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -791,6 +791,7 @@ fmgr_security_definer(PG_FUNCTION_ARGS)
 	FmgrInfo   *save_flinfo;
 	struct fmgr_security_definer_cache * volatile fcache;
 	AclId		save_userid;
+	bool		save_secdefcxt;
 	HeapTuple	tuple;
 
 	if (!fcinfo->flinfo->fn_extra)
@@ -816,26 +817,32 @@ fmgr_security_definer(PG_FUNCTION_ARGS)
 	else
 		fcache = fcinfo->flinfo->fn_extra;
 
+	GetUserIdAndContext(&save_userid, &save_secdefcxt);
+	SetUserIdAndContext(fcache->userid, true);
+
+	/*
+	 * We don't need to restore the userid settings on error, because the
+	 * ensuing xact or subxact abort will do that.  The PG_TRY block is only
+	 * needed to clean up the flinfo link.
+	 */
 	save_flinfo = fcinfo->flinfo;
-	save_userid = GetUserId();
 
 	PG_TRY();
 	{
 		fcinfo->flinfo = &fcache->flinfo;
-		SetUserId(fcache->userid);
 
 		result = FunctionCallInvoke(fcinfo);
 	}
 	PG_CATCH();
 	{
 		fcinfo->flinfo = save_flinfo;
-		SetUserId(save_userid);
 		PG_RE_THROW();
 	}
 	PG_END_TRY();
 
 	fcinfo->flinfo = save_flinfo;
-	SetUserId(save_userid);
+
+	SetUserIdAndContext(save_userid, save_secdefcxt);
 
 	return result;
 }
diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c
index 157dc6d3ab8..4db647b9ff9 100644
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/init/miscinit.c,v 1.137.4.1 2005/03/18 03:49:19 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/init/miscinit.c,v 1.137.4.2 2008/01/03 21:25:00 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -260,6 +260,9 @@ make_absolute_path(const char *path)
  * are implemented.  Conceptually there is a stack, whose bottom
  * is the session user.  You are yourself responsible to save and
  * restore the current user id if you need to change it.
+ *
+ * SecurityDefinerContext is TRUE if we are within a SECURITY DEFINER function
+ * or another context that temporarily changes CurrentUserId.
  * ----------------------------------------------------------------
  */
 static AclId AuthenticatedUserId = 0;
@@ -268,8 +271,13 @@ static AclId CurrentUserId = 0;
 
 static bool AuthenticatedUserIsSuperuser = false;
 
+static bool SecurityDefinerContext = false;
+
+
 /*
- * This function is relevant for all privilege checks.
+ * GetUserId - get the current effective user ID.
+ *
+ * Note: there's no SetUserId() anymore; use SetUserIdAndContext().
  */
 AclId
 GetUserId(void)
@@ -279,14 +287,6 @@ GetUserId(void)
 }
 
 
-void
-SetUserId(AclId newid)
-{
-	AssertArg(AclIdIsValid(newid));
-	CurrentUserId = newid;
-}
-
-
 /*
  * This value is only relevant for informational purposes.
  */
@@ -298,17 +298,57 @@ GetSessionUserId(void)
 }
 
 
-void
+static void
 SetSessionUserId(AclId newid)
 {
+	AssertState(!SecurityDefinerContext);
 	AssertArg(AclIdIsValid(newid));
 	SessionUserId = newid;
-	/* Current user defaults to session user. */
-	if (!AclIdIsValid(CurrentUserId))
-		CurrentUserId = newid;
+	CurrentUserId = newid;
 }
 
 
+/*
+ * GetUserIdAndContext/SetUserIdAndContext - get/set the current user ID
+ * and the SecurityDefinerContext flag.
+ *
+ * Unlike GetUserId, GetUserIdAndContext does *not* Assert that the current
+ * value of CurrentUserId is valid; nor does SetUserIdAndContext require
+ * the new value to be valid.  In fact, these routines had better not
+ * ever throw any kind of error.  This is because they are used by
+ * StartTransaction and AbortTransaction to save/restore the settings,
+ * and during the first transaction within a backend, the value to be saved
+ * and perhaps restored is indeed invalid.  We have to be able to get
+ * through AbortTransaction without asserting in case InitPostgres fails.
+ */
+void
+GetUserIdAndContext(AclId *userid, bool *sec_def_context)
+{
+	*userid = CurrentUserId;
+	*sec_def_context = SecurityDefinerContext;
+}
+
+void
+SetUserIdAndContext(AclId userid, bool sec_def_context)
+{
+	CurrentUserId = userid;
+	SecurityDefinerContext = sec_def_context;
+}
+
+
+/*
+ * InSecurityDefinerContext - are we inside a SECURITY DEFINER context?
+ */
+bool
+InSecurityDefinerContext(void)
+{
+	return SecurityDefinerContext;
+}
+
+
+/*
+ * Initialize user identity during normal backend startup
+ */
 void
 InitializeSessionUserId(const char *username)
 {
@@ -403,7 +443,6 @@ SetSessionAuthorization(AclId userid, bool is_superuser)
 			  errmsg("permission denied to set session authorization")));
 
 	SetSessionUserId(userid);
-	SetUserId(userid);
 
 	SetConfigOption("is_superuser",
 					is_superuser ? "on" : "off",
diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
index e5333977c09..bdf8aaa0b11 100644
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@@ -13,7 +13,7 @@
  * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.174 2004/12/31 22:03:19 pgsql Exp $
+ * $PostgreSQL: pgsql/src/include/miscadmin.h,v 1.174.4.1 2008/01/03 21:25:00 tgl Exp $
  *
  * NOTES
  *	  some of the information in this file should be moved to other files.
@@ -233,9 +233,10 @@ extern void SetDatabasePath(const char *path);
 
 extern char *GetUserNameFromId(AclId userid);
 extern AclId GetUserId(void);
-extern void SetUserId(AclId userid);
 extern AclId GetSessionUserId(void);
-extern void SetSessionUserId(AclId userid);
+extern void GetUserIdAndContext(AclId *userid, bool *sec_def_context);
+extern void SetUserIdAndContext(AclId userid, bool sec_def_context);
+extern bool InSecurityDefinerContext(void);
 extern void InitializeSessionUserId(const char *username);
 extern void InitializeSessionUserIdStandalone(void);
 extern void SetSessionAuthorization(AclId userid, bool is_superuser);