| From: | Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com> |
|---|---|
| To: | quae(at)daurnimator(dot)com, pgsql-bugs(at)lists(dot)postgresql(dot)org, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: BUG #15708: RLS 'using' running as wrong user when called from a view |
| Date: | 2019-03-24 11:19:52 |
| Message-ID: | CAEZATCV-UjLxmzk7sZhiu9fMnOoaQwZ2frtUrsu0gwg_VZ8JMg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
On Thu, 21 Mar 2019 at 00:39, PG Bug reporting form
<noreply(at)postgresql(dot)org> wrote:
>
> This fails, seemingly because the RLS on 'bar' is being checked by alice,
> instead of the view owner bob:
>
Yes I agree, that appears to be a bug. The subquery in the RLS policy
should be checked as the view owner -- i.e., we need to propagate the
checkAsUser for the RTE with RLS to any subqueries in its RLS
policies.
It looks like the best place to fix it is in
get_policies_for_relation(), since that's where all the policies to be
applied for a given RTE are pulled together. Patch attached.
Regards,
Dean
| Attachment | Content-Type | Size |
|---|---|---|
| rls-perm-check-fix.patch | application/octet-stream | 4.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2019-03-24 17:50:37 | Re: BUG #15706: Support Services page out of date |
| Previous Message | Christoph Berg | 2019-03-22 08:36:14 | Re: BUG #15710: ADD COLUMN IF NOT EXISTS adds constraint anyways |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Haribabu Kommi | 2019-03-24 11:30:47 | Re: pg_basebackup ignores the existing data directory permissions |
| Previous Message | Peter Eisentraut | 2019-03-24 11:04:12 | Re: chained transactions |