Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Heikki Linnakangas" <heikki(at)enterprisedb(dot)com>
Cc: "Brendan O'Shea" <boshea(at)akamai(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants
Date: 2008-08-12 02:39:11
Message-ID: 25950.1218508751@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

I wrote:
> That's one heck of a scary patch: nowhere in list_union's API is there
> any guarantee that it preserves list ordering, but we *must not* change
> the positions of the existing rtable entries.

Actually there's a more fundamental problem, namely that pulled-up
subqueries aren't necessarily equal() to the originals. They will
definitely be different if there were any uplevel Var references.

While you could argue that it doesn't matter because we'll only
end up redundantly checking permissions on multiple copies of the
RTEs, that's a bit beyond my threshold of ugliness...

regards, tom lane

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Robert Treat 2008-08-12 02:48:36 Re: return query with set-returning functions
Previous Message Tom Lane 2008-08-12 01:53:58 Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants