Forum OpenACS Development: Re: Connectin each OpenACS user to the respective PostgreSQL user

Well, I have a database with, for example, 10 different users. Every user is allowed to do something or not. When those users log in to OpenACS, they automatically log in with the same user in PostgreSQL, the one I set when I was installing OpenACS.
For now, I put some "if" in TCL to control what each user can see, but I don't know how secure is it. So what I would like to do, is to connect every user of OpenACS to his respective PostgreSQL user. Probably I have to write down some TCL, but I wanted to know if there is something already done. I don't have a wide experience with this CMS.
The system is operating correctly. Read about the OpenACS permissions system which controls access to content objects in the system. Look at the code in some of the supplied packages to see how this is used to restrict access.

The users should not have direct access to the database via PSQL or other non-OpenACS applications, they should be access data through the web app. Proper use of the permissions system has provided a very secure mechanism for controlling access to content for over a decade.

Also look at database query examples that use oracle-like bind variable notation to parameterize queries with data from HTTP requests and other sources. Use of this notation prevents SQL injection attacks right out of the box.