From: | Rod Taylor <pg(at)rbt(dot)ca> |
---|---|
To: | "Eugene E(dot)" <sad(at)bankir(dot)ru> |
Cc: | pgsql-sql(at)postgresql(dot)org |
Subject: | Re: Permission to Select |
Date: | 2006-03-13 14:33:12 |
Message-ID: | 1142260392.857.49.camel@home |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
On Mon, 2006-03-13 at 12:51 +0300, Eugene E. wrote:
> Hi all
> the serious problem with permissions is encountered
>
> NOTE: the following example is really useful but there is no room to
> describe it's use.
>
>
> db=# CREATE USER u;
> db=# CREATE TABLE t (i int, a text);
> db=# REVOKE all ON t FROM u;
> db=# GRANT update,insert,delete ON t TO u;
> db=# \c - u
>
> db=> INSERT INTO t VALUES (1,'x');
> INSERT
> db=> UPDATE t SET a='y' WHERE i=1;
> ERROR: Permission denied for relation t;
> db=> UPDATE t SET a='y';
> UPDATE
>
> 1) The user "u" is permitted but unable to perfom the operation !
> 2) A user is able to update WHOLE table but unable to update ANY part of
> it !
>
Good chance this was on purpose.
BEGIN;
UPDATE compensation SET salary = salary WHERE name = 'Tom' and
salary BETWEEN 50000 and 60000;
-- No rows updated -- that's not Toms salary
rollback;
BEGIN;
UPDATE compensation SET salary = salary WHERE name = 'Tom' and
salary BETWEEN 60000 and 70000;
-- One row updated so I found the range, I need a raise!
rollback;
By allowing the user a where clause you grant them select privileges.
You will find that delete works the same way.
This is one of those times when per column permissions are useful. You
could grant them select access on the "name" column but not the "salary"
column.
--
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2006-03-13 14:46:17 | Re: Permission to Select |
Previous Message | Daniel Caune | 2006-03-13 14:21:41 | Re: Ask a PostgreSql question (about select ) |