Re: Row based permissions: at DB or at Application level?

From: vinny <vinny(at)xs4all(dot)nl>
To: Thomas Güttler <guettliml(at)thomas-guettler(dot)de>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Row based permissions: at DB or at Application level?
Date: 2017-07-25 10:59:02
Message-ID: 243e21bb8560e26829fe2a910ed05a37@xs4all.nl
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 2017-07-25 11:40, Thomas Güttler wrote:
> I would like to reduce the "ifing and elsing" in my python code (less
> conditions, less bugs, more SQL, more performance)
>
> Regards,
> Thomas Güttler
>

A quick brainstorm:

You could, probably...
but you'd have to create a separate database user for every Django user,
get Django to connect to the database as that user
and setup policies for each of those users, for every use-case.

When I look at an example policy from the manual:

CREATE POLICY fp_u ON information FOR UPDATE
USING (group_id <= (SELECT group_id FROM users WHERE user_name =
current_user));

I'm not sure if this is any less bug-sensitive than an IF in Python...
And don't forget you have to interpret any error-response from the
database into
something that Django can make understandable to the end-user.

I'm not saying row-level security is bad, far from it, but I doubt that
using it
to replace Django's own security is going to magically make life much
easier.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Scott Mead 2017-07-25 11:30:49 Re: How to get transaction started always in WRITE mode.
Previous Message Daniel Westermann 2017-07-25 09:56:29 Re: Row based permissions: at DB or at Application level?