| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Andrea Adami <fol(at)fulcro(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Row Level Security Bug ? |
| Date: | 2017-11-12 19:14:33 |
| Message-ID: | db529a39-fa2b-5e10-3dfa-1e04e76426b3@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 11/12/2017 10:17 AM, Andrea Adami wrote:
> if i do:
>
> SET ROLE 'manager-a(at)scuola-1(dot)it <mailto:manager-a(at)scuola-1(dot)it>'
[SELECT from table]
> i see only one row (as expected)
>
> but when i do:
[SELECT from VIEWs]
> I see all the rows always
>
> this way i lack all the row level security i defined
>
> is this either a bug or it's made by design ?
> if it's made by design why ?
> Is there a way to write view that respect the row level security ?
> For my point of view is a nonsense make a row level security that
> doesn't work with the view.
See:
https://www.postgresql.org/docs/10/static/sql-createview.html
In particular: "Access to tables referenced in the view is determined by
permissions of the view owner."
And:
https://www.postgresql.org/docs/10/static/ddl-rowsecurity.html
"Superusers and roles with the BYPASSRLS attribute always bypass the row
security system when accessing a table. Table owners normally bypass row
security as well, though a table owner can choose to be subject to row
security with ALTER TABLE ... FORCE ROW LEVEL SECURITY."
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Fetter | 2017-11-12 20:13:22 | Re: PATCH: psql tab completion for SELECT |
| Previous Message | Tom Lane | 2017-11-12 19:00:42 | Re: Fix number skipping in to_number |