Home > mailing lists

Re: Do update permissions require select permissions - Mailing list pgsql-sql

From	Tom Lane
Subject	Re: Do update permissions require select permissions
Date	November 28, 2003 21:14:07
Msg-id	1644.1070057618@sss.pgh.pa.us Whole thread Raw
In response to	Do update permissions require select permissions (christopher-piker@uiowa.edu (Chris Piker))
List	pgsql-sql

Tree view

christopher-piker@uiowa.edu (Chris Piker) writes:
> Now as some other user one can do:
>    update data set stuff = 'other stuff';
> And it works okay.  But the following fails:
>    update data set stuff = 'yet other stuff' where id = 1;
> Why is this?  

Because the latter requires reading, not only writing, the table.

One way to look at it is that if we didn't restrict that, then a person
having only UPDATE rights could nonetheless extract information from the
table.  For example consider
update data set stuff = stuff where id = 42;

This allows the user to determine whether id 42 exists in the table
(by noting the returned UPDATE count).  If you had not given that user
SELECT rights, presumably you don't really want him to be able to find
that out.
        regards, tom lane

pgsql-sql by date:

From: Tom Lane
Date: 28 November 2003, 20:57:57
Subject: Re: explicit joins wrong planning

From: Tomasz Myrta
Date: 28 November 2003, 22:05:33
Subject: Re: explicit joins wrong planning

Re: Do update permissions require select permissions - Mailing list pgsql-sql

Previous

Next