Re: New patch for Column-level privileges

Tom, er al,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> I'm thinking make_var is not the place to do this. The places that are
> supposed to be taking care of permissions are the ones that do this:
>
> /* Require read access --- see comments in setTargetTable() */
> rte->requiredPerms |= ACL_SELECT;

Argh. That's what I had started out with, but I couldn't figure out how
to handle the JOIN case. I'm a bit mystified by what KaiGai found
though and havn't had a chance to look at it yet, but I thought I had
tested the JOIN cases and I had added them to the regression tests.
Guess I missed something.

> It's possible that we've missed some --- in particular, right at the
> moment I am not sure that whole-row Vars are handled properly.

I added specific regression test for whole-row Vars, so I'd be concerned
if something isn't working there.

> And maybe we could refactor a little bit to save some code.
> But those are basically the same places that ought to be adding
> bits to the column bitmaps.

I tend to agree, provided we can handle JOIN clauses sanely at those
places. I'll try and look at KaiGai's patch today and provide feedback.

Thanks,

Stephen