| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Jeff Davis <pgsql(at)j-davis(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Bug: RLS policy FOR SELECT is used to check new rows |
| Date: | 2023-11-13 19:31:16 |
| Message-ID: | 3e262d57feca27db919f2a9b1cc88fdc05c1c7a4.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 2023-11-13 at 12:57 -0500, Robert Haas wrote:
> On Fri, Nov 10, 2023 at 7:43 AM Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> wrote:
> > So, from my perspective, we should never have let FOR SELECT policies
> > mess with an UPDATE. But I am too late for that; such a change would
> > be way too invasive now. So I'd like to introduce a "back door" by
> > creating a FOR SELECT policy with WITH CHECK (TRUE).
>
> In principle I see no problem with some kind of back door here, but
> that seems like it might not be the right way to do it. I don't think
> we want constant true to behave arbitrarily differently than any other
> expression. Maybe that's not what you had in mind and I'm just not
> seeing the full picture, though.
I experimented some more, and I think I see my mistake now.
Currently, the USING clause of FOR SELECT/ALL/UPDATE policies is
an *additional* restriction to the WITH CHECK clause.
So my suggestion of using the WITH CHECK clause *instead of*
the USING clause in FOR SELECT policies would be unprincipled.
Sorry for the noise.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laurenz Albe | 2023-11-13 19:33:33 | Re: Version 14/15 documentation Section "Alter Default Privileges" |
| Previous Message | Bruce Momjian | 2023-11-13 19:28:05 | Re: Version 14/15 documentation Section "Alter Default Privileges" |