Re: Updatable view (where in) with check option doesn't validate data properly

To add more context about this issue, I am currently porting a software
which works with both Oracle and MSSQL.
Those two RDBMS support views with "check option" that contain either
subqueries or inner joins. In practice we also use "with recursive" in some
subqueries.

Using "check option" without self table subqueries or inner joins puts a
big restriction on what can be achieved through this mechanism.
The fact that view creation is supported in postgres but yields undefined
behavior bothers me. I would have to rewrite a lot of views to make them
compatible with postgres; and then do extensive tests for each of them to
validate postgres behavior upon inserts and updates. The safety net is very
thin here, and I guess postgres implementation could change at every moment
making the application crash with new versions of the RDBMS.

Regards,
Nicolas M

Le jeu. 16 déc. 2021 à 02:05, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> a écrit :

> Nicolas M <kiruahxh(at)gmail(dot)com> writes:
> > create or replace view viewSimpleA as select * from tableA where name
> > like 'a%'with check option;
>
> [ behaves as expected ]
>
> > create or replace view viewA as select * from tableAwhere db_record_id
> in (
> > select db_record_id from tableA
> > where name like 'a%'
> > ) with check option;
>
> [ not so much ]
>
> I don't think this is a bug. The problem is that we handle
> WITH CHECK OPTION by seeing whether the proposed new tuple
> value satisfies the view's WHERE clause. But the new tuple
> isn't yet stored, or at least isn't yet visible, so that
> that sub-select still finds the old row contents (or fails
> to find any row at all, in your first test).
>
> We could maybe hack our way to fixing that in the specific
> case you show here, but I'm not very excited about that,
> because this usage of WITH CHECK OPTION seems inherently
> unsafe. For example, if we permit an update based on the
> fact that there's currently a row with "name like 'a%'",
> there's no way to be certain that some other transaction
> hasn't concurrently changed or deleted that row. That'd
> lead to inconsistency once both transactions commit.
>
> In general I think that expecting WITH CHECK OPTION to
> enforce non-immutable conditions is pretty hazardous,
> for largely the same reasons that a non-immutable CHECK
> constraint is hazardous. We don't stop you from declaring
> such a constraint, but it's likely to bite you in the rear.
>
> regards, tom lane
>