Re: PoC: Make it possible to disallow WHERE-less UPDATE and DELETE

On Mon, Sep 19, 2016 at 12:02 AM, David Fetter <david(at)fetter(dot)org> wrote:
>> - The claim in the documentation that only superusers can do things
>> with this module is not generally correct.
>
> I think that the claims are fixed. This is SUSET, at least in this
> patch, because anything short of that that changes query behavior
> seems incautious.

Uggh, I disagree strongly with that, as do lots of existing GUCs. I
think it's for the superuser to decide whether this should be enabled
by default (e.g. by setting it in postgresql.conf) and for individual
users to decide whether they want to override the superuser's decision
for particular sessions. Therefore, I think this should be
PGC_USERSET.

I think PGC_SUSET GUCs are pretty annoying, and we should have a
really compelling reason why it's not OK for users to change the value
of a setting before resorting to PGC_SUSET. For example, log_duration
is PGC_SUSET and that makes sense because the log is "owned" by the
administrator, not the individual user. But work_mem, for example,
changes query behavior and that is PGC_USERSET. I think that's right.
We have talked before about wanting a system that restricts the values
to which users can legally set values which they are in principle
allowed to change, and someday we might have that. In the meantime,
letting regular users change settings that they don't like is, in
general, a feature, not a bug.

Someone who feels otherwise can, of course, hack up their own version
of this module.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company