Re: Do update permissions require select permissions

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: christopher-piker(at)uiowa(dot)edu (Chris Piker)
Cc: pgsql-sql(at)postgresql(dot)org
Subject: Re: Do update permissions require select permissions
Date: 2003-11-28 22:13:38
Message-ID: 1644.1070057618@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

christopher-piker(at)uiowa(dot)edu (Chris Piker) writes:
> Now as some other user one can do:
> update data set stuff = 'other stuff';
> And it works okay. But the following fails:
> update data set stuff = 'yet other stuff' where id = 1;
> Why is this?

Because the latter requires reading, not only writing, the table.

One way to look at it is that if we didn't restrict that, then a person
having only UPDATE rights could nonetheless extract information from the
table. For example consider

update data set stuff = stuff where id = 42;

This allows the user to determine whether id 42 exists in the table
(by noting the returned UPDATE count). If you had not given that user
SELECT rights, presumably you don't really want him to be able to find
that out.

regards, tom lane

In response to

Browse pgsql-sql by date

  From Date Subject
Next Message Tomasz Myrta 2003-11-28 23:05:14 Re: explicit joins wrong planning
Previous Message Tom Lane 2003-11-28 21:57:18 Re: explicit joins wrong planning