Re: Row Level Security UPDATE Confusion

On 04/13/2017 01:31 PM, Stephen Frost wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> On Thu, Apr 6, 2017 at 4:05 PM, Rod Taylor <rod(dot)taylor(at)gmail(dot)com> wrote:
>> > I'm a little confused on why a SELECT policy fires against the NEW record
>> > for an UPDATE when using multiple FOR policies. The ALL policy doesn't seem
>> > to have that restriction.
>>
>> My guess is that you have found a bug.
>
> Indeed. Joe's been looking into it and I'm hoping to find some time to
> dig into it shortly.

>> CREATE POLICY split_select ON t FOR SELECT TO split
>> USING (value > 0);
>> CREATE POLICY split_update ON t FOR UPDATE TO split
>> USING (true) WITH CHECK (true);

Yes -- from what I can see in gdb:

1) add_with_check_options() adds both (value > 0) and (true) to
withCheckOptions -- this seems correct as the USING expression
is used for WITH CHECK when the latter is not specified

2) ExecWithCheckOptions() checks (value > 0) which fails, and it
immediately throws an ERROR, i.e. it never checks the (true)
expression and therefore never ORs the results -- this seems
incorrect, it uses restrictive not permissive

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development