Joe Conway <mail@joeconway.com> writes:
> Why wouldn't we force checkAsUser to the rule owner in the copied RTEs,
> similar to the rest of the rule query?
Because it would be the wrong check. We need to check that the rule
caller has permissions on the view for whatever he originally tried
to do (ie, the type of the original query that referenced the view).
In the non-INSTEAD case, this check will be redundant with a check
applied when the original query is executed ... but in the INSTEAD case,
it isn't redundant.
> It makes sense in that the rule
> query could possibly use the RTE (although as you pointed out it doesn't
> in this case), and therefore the permission check should be the same, no?
No; it's possible for the amalgamated query to include references to
tables that are referenced only in the original query and nowhere in the
text of the rule. (This is obviously possible right now, since we just
take the union of the two rtables and don't make any effort to discard
unreferenced RTEs ... but I think it could happen even if we did discard
unreferenced RTEs, because conditions from the original query get pushed
into the rule and might reference tables that the rule text doesn't
mention.) Checking such tables for rule-owner access would be wrong;
they have to be checked for access by the rule caller.
regards, tom lane