Postgres - How to allow user to change their password

I assume you have an admin account that owns the procedure and you have users that just want to call it.

It would be very dangerous but you can set the procedure to run as the owner.

Look at SECURITY DEFINER:
https://www.postgresql.org/docs/current/sql-createfunction.html

The reason I say it is dangerous is you might be open to SQL injection.  I say "might be" because I don't have an injection off the top of my head.  Just suggesting it might be possible.

Thank you!

  I have added Security Definer to the code. But now, the check to see if the user id parameter value is the same as the login value, is failing.

How to still validate the login user value and current user are the same?

Attaching the modified code.

sp_change_pwd.sql

In your raise notice, display what you are actually comparing and see if you can figure this out on your own?

I like to add literals around my strings to make sure there are no spaces or anything else, so I added ':' before and after the %s.

	  RAISE NOTICE 'I_user_id,V_CURR_USER, :%:, :%:', UPPER(QUOTE_LITERAL(I_user_id)) ,UPPER(V_CURR_USER);

Select allOpen in new window

In the Raise notice, for the current_user, I see the masteraccount which is the super user.

But, the I_user_id is the user's individual id and so, they are not matching.

I think, the current_user is showing the superuser because of the Security Definer.

I wanted to know if there's a way to still do that validation and fail only if the i_user_id value is different from the current_user value.

Thank you, as usual!

No problem.  Always happy to help!