insert/upate/delete permissions on views - Mailing list pgsql-bugs

From Dani Mezher
Subject insert/upate/delete permissions on views
Date
Msg-id 111A067B-A2C4-11D8-B847-000A95C4FBC6@fi.usj.edu.lb
Whole thread Raw
Responses Re: insert/upate/delete permissions on views
List pgsql-bugs
Hello,

    I would like to report a bug in postgresql 7.4.1 regarding the
permission for insert/update/delete on views.
I actually created a view based on a table to control user access to
individual tuples. I revoked all privileges
on the underlying table and created insert/update/delete rules over the
view. It seems that even if I revoke update/insert
permissions from the users, they can still update/insert data into the
views and therefore into the table.

   An alternative way is to  use triggers and stored procedures but the
postgresql rule systems seems more elegant
and intuitive. Is there a patch to fix this problem??? Is it fixed in
postgresql 7.4.2???

Here is an illustration of the problem.
==================================
baronsgroup=# create table test(code integer);
CREATE TABLE
baronsgroup=# create view vtest as select * from test;
CREATE VIEW
baronsgroup=# create rule update as on update to vtest do instead
update test set code=new.code where code=old.code;
CREATE RULE
baronsgroup=# revoke all on test from spiro;
REVOKE
baronsgroup=# revoke all on vtest from spiro;
REVOKE
baronsgroup=# grant select on vtest to spiro;
GRANT
baronsgroup=# insert into test values(2);
INSERT 134507 1
baronsgroup=# \c baronsgroup spiro
You are now connected to database "baronsgroup" as user "spiro".
baronsgroup=> select * from vtest;
  code
------
     2
(1 row)

baronsgroup=> select * from test;
ERROR:  permission denied for relation test
ERROR:  permission denied for relation test
baronsgroup=> update test set code=20;
ERROR:  permission denied for relation test
ERROR:  permission denied for relation test
baronsgroup=> \z vtest;
        Access privileges for database "baronsgroup"
  Schema | Table |            Access privileges
--------+-------+-----------------------------------------
  public | vtest | {dani=a*r*w*d*R*x*t*/dani,spiro=r/dani}
(1 row)

baronsgroup=> select has_table_privilege('vtest','update');
  has_table_privilege
---------------------
  f
(1 row)

baronsgroup=> update vtest set code=20;
UPDATE 1
baronsgroup=> select * from vtest;
  code
------
    20
(1 row)

==========================


Regards
Dani Mezher

pgsql-bugs by date:

Previous
From: "Safwan Hak"
Date:
Subject: Re: Postgre 7.3.x Bug with datetime formatting.
Next
From: "Safwan Hak"
Date:
Subject: Re: Postgre 7.3.x Bug with datetime formatting.