| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | jian he <jian(dot)universality(at)gmail(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>, Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com> |
| Subject: | Re: Virtual generated columns |
| Date: | 2025-01-14 09:42:37 |
| Message-ID: | ba95edda-ea40-47bf-b549-99b02514b2c7@eisentraut.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 09.01.25 09:38, jian he wrote:
>> create user foo;
>> create user bar;
>> grant create on schema public to foo;
>> \c - foo
>> create table t1 (id int, ccnum text, ccredacted text generated always as
>> (repeat('*', 12) || substr(ccnum, 13, 4)) virtual);
>> grant select (id, ccredacted) on table t1 to bar;
>> insert into t1 values (1, '1234567890123456');
>> \c - bar
>> select * from t1; -- permission denied
>> select id, ccredacted from t1; -- ok
>
> I think this is expected.
> however once the user can access the pg_catalog,
> then he can use pg_get_expr
> figure out the generation expression.
>
> so here "bar" can figure out the column value of ccnum, i think.
Having access to the expression definition doesn't help you reverse the
computation, if the computation itself is not reversible.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Rasheed | 2025-01-14 09:50:51 | Re: Psql meta-command conninfo+ |
| Previous Message | Bernd Helmle | 2025-01-14 09:34:38 | Re: Modern SHA2- based password hashes for pgcrypto |