Re: Row Level Security Policies documentation doesn't mention lack of support for views

Stephen, is there anything missing in our docs related this issue?

---------------------------------------------------------------------------

On Thu, Jun 29, 2017 at 02:25:11PM +0000, deinspanjer(at)gmail(dot)com wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/9.6/static/ddl-rowsecurity.html
> Description:
>
> The policy documentation page is great, and the example in it is very
> informative, but I just discovered a major flaw in our implementation of it
> that I would like to see mentioned in the documentation.
>
> If you create a view on a table, any queries against the view are in the
> context of the view creator rather than the actual current user.
>
> So, in the example on the page, if the admin creates a view of the passwd
> table and grants access to this view, alice would no longer be subject to
> any of the RLS policies as long as she used the view instead of the real
> table.
>
> --
> Sent via pgsql-docs mailing list (pgsql-docs(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-docs

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +