Dear SMF team,
Until today, I used SMF 2.0.19 and the used database on the server had allowed flags: ALTER, DELETE, INDEX, SELECT, INSERT, and UPDATE. After I tried updating to SMF 2.1.0 I found out that I needed to allow also CREATE and DROP (on another page I found also that I needed CREATE_TEMPORARY_TABLES, but this was not critically necessary on this occasion).
My question now is: do I need to keep allowed flags CREATE, DROP, and CREATE_TEMPORARY_TABLES, are they completely safe, or should I deactivate them?
CREATE_TEMPORARY_TABLES should be enabled (several pages actually use it for performance), and you should assume that CREATE TABLE and DROP TABLE will be needed for any add-on installations/removals.
I have yet to see a setup of SMF in 16 years where having these permissions was a problem - all the queries to the database are protected by SMF's own security measures to prevent queries being abused in a bad way.
There are situations where those might be needed, but for daily functionality they aren't necessary I believe.
As for safety, if you have SMF in it's on DB, and the DB with it's own dedicated user - I don't think this makes much difference really.
EDIT: Arantor was faster, again.
Thank you! Marking as solved.
Edit: Yes, indeed, I have a dedicated database and user for SMF.