| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Travis Bauer <trbauer(at)indiana(dot)edu> |
| Cc: | Martijn van Oosterhout <kleptog(at)cupid(dot)suninternet(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: view permissions problem - featuer or bug? |
| Date: | 2000-07-09 00:34:18 |
| Message-ID: | 25972.963102858@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Travis Bauer <trbauer(at)indiana(dot)edu> writes:
> That part works okay, but here is a more complicated situation that
> doesn't:
> create user user1;
> create table t1 (x int, y int);
> create table t2 (a int, y int);
> create view v1 as select * from t1 where x in (select a from t2);
> ------------------
> create view v2 as select * from v1 where x>3;
> revoke all on t1 from public;
> revoke all on t2 from public;
> revoke all on v1 from public;
> revoke all on v2 from public;
> grant select on v2 to user1;
> \c - user1
> select * from v2;
> ====> v1: Permission denied.
> The problem occurs because of the nested select underlined above.
I agree, this is a bug. The rewriter checks access permissions on the
basis of the rule's creator, not of the rule's invoker --- but it only
does so at the top level of the rule query. It forgets to recurse into
subqueries :-(. Fairly easy fix, will work on it for 7.1.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sean | 2000-07-09 05:34:18 | Re: Where are the databases kept? |
| Previous Message | Yves Dorfsman | 2000-07-08 23:47:22 | disabling transactions |