pgsql: RLS: Fix ALL vs. SELECT+UPDATE policy usage

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: RLS: Fix ALL vs. SELECT+UPDATE policy usage
Date: 2017-05-07 01:48:37
Message-ID: E1d7BJN-0003Ay-LG@gemulon.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers

RLS: Fix ALL vs. SELECT+UPDATE policy usage

When we add the SELECT-privilege based policies to the RLS with check
options (such as for an UPDATE statement, or when we have INSERT ...
RETURNING), we need to be sure and use the 'USING' case if the policy is
actually an 'ALL' policy (which could have both a USING clause and an
independent WITH CHECK clause).

This could result in policies acting differently when built using ALL
(when the ALL had both USING and WITH CHECK clauses) and when building
the policies independently as SELECT and UPDATE policies.

Fix this by adding an explicit boolean to add_with_check_options() to
indicate when the USING policy should be used, even if the policy has
both USING and WITH CHECK policies on it.

Reported by: Rod Taylor

Back-patch to 9.5 where RLS was introduced.

Branch
------
REL9_5_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/d617c7629c0806a245555c0fe74331935c726569

Modified Files
--------------
src/backend/rewrite/rowsecurity.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)

Browse pgsql-committers by date

  From Date Subject
Next Message Robert Haas 2017-05-07 02:24:27 pgsql: Allow queries submitted by postgres_fdw to be canceled.
Previous Message Andres Freund 2017-05-07 00:04:32 pgsql: Fix duplicated words in comment.