| From: | Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com> |
|---|---|
| To: | Andrea Adami <fol(at)fulcro(dot)net> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: CREATE POLICY bug ? |
| Date: | 2016-09-01 09:53:51 |
| Message-ID: | CAEZATCWqKjzFZAkXOafAn+Mo5y3xZe_pCxzgUDrjwH=biZFD=A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
[Please reply to the list, not just to me, so that others can benefit
from and contribute to the discussion]
On 31 August 2016 at 11:52, Andrea Adami <fol(at)fulcro(dot)net> wrote:
> Thnaks Dean, i did further investigations:
> i set the owner of the view to: "manager(at)scuola247(dot)it" with:
> ALTER TABLE public.policy_view OWNER TO "manager(at)scuola247(dot)it";
> and i thinking to see from the select:
> select * from policy_view
> the rows: 1,2,3
> then
> set role 'manager(at)scuola247(dot)it';
> select * from policy_view;
> return rows 1,2,3 as expected but:
> set role 'teacher(at)scuola247(dot)it';
> select * from policy_view;
> returns rows 4,5 and
> set role 'postgres'
> select * from policy_view
> return nothing ...
> what you thinking about ?
>
> Andrea
That's correct. With the table owned by postgres and the view owned by
"manager(at)scuola247(dot)it", access to the table via the view is subject to
the policies that apply to "manager(at)scuola247(dot)it". So regardless of
who the current user is, when selecting from the view, the policy
"standard" will be applied, and that will limit the visible rows to
those for which usr = current_user.
Regards,
Dean
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2016-09-01 09:55:33 | Re: PostgreSQL 10 kick-off |
| Previous Message | Simon Riggs | 2016-09-01 09:37:03 | Re: Proposal for changes to recovery.conf API |