There is a gap in the permission scheme for inheritance setups. Say you
CREATE TABLE persons (...);
CREATE TABLE employees (...) INHERITS (persons);
GRANT SELECT ON persons TO foo;
Then user foo can extract who the employees are using
SELECT * FROM persons EXCEPT SELECT * FROM ONLY persons;
With UPDATE permissions one could then even do moderately evil things
like only changing the employees.
Proper encapsulation would require that using ONLY is only permitted
when specifically allowed. That is what GRANT SELECT WITH HIERARCHY
OPTION does, per SQL standard. It is basically a funny spelling for
another privilege type that means "may use ONLY".
I think this would be the proper and useful thing to do, especially in
conjunction with the new recursive grant behavior. There would probably
be some upgrading issues. For example, GRANTs imported via pg_dump from
8.4 would probably need to change SELECT to SELECT WITH HIERARCHY
OPTION, and even that technically wouldn't cover all cases.
pgsql-hackers by date
|Next:||From: Greg Stark||Date: 2009-10-29 23:52:13|
|Subject: Re: WIP: push AFTER-trigger execution into ModifyTable node|
|Previous:||From: Peter Eisentraut||Date: 2009-10-29 22:41:26|
|Subject: Re: \d+ for long view definitions?|