Re: Need SELECT rights to UPDATE/DELETE WHERE? - Mailing list pgsql-sql

From Tom Lane
Subject Re: Need SELECT rights to UPDATE/DELETE WHERE?
Date
Msg-id 10344.1107236071@sss.pgh.pa.us
Whole thread Raw
In response to Need SELECT rights to UPDATE/DELETE WHERE?  (cpp@world-online.no)
List pgsql-sql
cpp@world-online.no writes:
> In my hands it looks like a user with INSERT/DELETE/UPDATE rights on table1
> cannot do "update table1 set field1=xx where field2=yy" without also being
> granted select rights. However, the user can do "update table1 set field1=xx".
> Is this right?

Yes.  Otherwise you can use UPDATEs to infer something about the content
of the table, eg doupdate table1 set field1 = field1 where field2 = yy
and note the result count to find out whether there are any rows with
field2 = yy.  If you didn't give the other guy SELECT rights then
presumably you do not want him to be able to infer any such thing.
        regards, tom lane


pgsql-sql by date:

Previous
From: "Iain"
Date:
Subject: Re:
Next
From: Achilleus Mantzios
Date:
Subject: Re: BLOBs vs BYTEA