| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Charles Clavadetscher <clavadetscher(at)swisspug(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: unclear about row-level security USING vs. CHECK |
| Date: | 2015-09-23 19:22:40 |
| Message-ID: | 5602FC00.6060001@gmx.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 9/23/15 2:52 PM, Stephen Frost wrote:
>> That might be reasonable, but the documentation is completely wrong
>> about that.
>
> Really? I feel pretty confident that it's at least mentioned. I
> agree that it should be made more clear.
I quoted the documentation at the beginning of the thread. That's all I
could find about it.
>> That said, why even have USING and CHECK as separate clauses? Can't you
>> just create different policies if you want them different?
>>
>> Hypothetical example:
>>
>> CREATE POLICY p1 ON t1 FOR SELECT CHECK (extract(year from entered_on) =
>> extract(year from current_timestamp));
>> CREATE POLICY p2 ON t2 FOR INSERT, UPDATE, DELETE CHECK (entered_by =
>> current_user);
>
> USING is about visibility of existing records, WITH CHECK is in regards
> to new rows being added to the relation (either through an INSERT or an
> UPDATE).
That makes sense, but then the current behavior that I mentioned at the
beginning of the thread is wrong. If you think these clauses are
clearly separate, then they should be, er, clearly separate.
Maybe the syntax can be tweaked a little, like USING AND CHECK or
whatever. Not that USING and CHECK are terribly intuitive in this
context anyway.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2015-09-23 19:38:59 | clearing opfuncid vs. parallel query |
| Previous Message | Stephen Frost | 2015-09-23 19:20:08 | Re: unclear about row-level security USING vs. CHECK |