| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com>, Jeff Davis <pgsql(at)j-davis(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Bug: RLS policy FOR SELECT is used to check new rows |
| Date: | 2023-11-09 15:16:33 |
| Message-ID: | cb96d8657a9d5dfc53a17d99e24e08e617ba11a5.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, 2023-10-25 at 09:45 +0200, Laurenz Albe wrote:
> I can accept that the error is intentional, even though it violated the
> POLA for me. I can buy into the argument that an UPDATE should not make
> a row seem to vanish.
>
> I cannot buy into the constraint argument. If the table owner wanted to
> prevent you from causing a constraint violation error with a row you
> cannot see, she wouldn't have given you a FOR UPDATE policy that allows
> you to perform such an UPDATE.
>
> Anyway, it is probably too late to change a behavior that has been like
> that for a while and is not manifestly buggy.
I have thought some more about this, and I believe that if FOR SELECT
policies are used to check new rows, you should be allowed to specify
WITH CHECK on FOR SELECT policies. Why not allow a user to specify
different conditions for fetching from a table and for new rows after
an UPDATE?
The attached patch does that. What so you think?
Yours,
Laurenz Albe
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Allow-WITH-CKECK-on-FOR-SELECT-policies.patch | text/x-patch | 9.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tristan Partin | 2023-11-09 15:27:54 | Re: Failure during Building Postgres in Windows with Meson |
| Previous Message | Nazir Bilal Yavuz | 2023-11-09 15:11:33 | Re: Failure during Building Postgres in Windows with Meson |