Gert Pache (uhx2@rz.uni-karlsruhe.de) reports a bug with a severity of 3
The lower the number the more severe it is.
Short Description
INSERT possible without INSERT-permission
Long Description
Although a user without has only UPDATE/DELETE-permissions on a table he can insert into the table.
Version: 7.0.1
Sample Code
-- superuser creates tables tab und grants user pgtester only
-- update-permission
delme=# create table tab ( id int );
CREATE
delme=# revoke all on tab from public;
CHANGE
delme=# grant update on tab to pgtester;
CHANGE
delme=# \dp tab
Access permissions for database "delme"
Relation | Access permissions
----------+--------------------
tab | {"=","pgtester=w"}
-- although not having insert permission, pgtester is able
-- to insert a record
delme=> insert into tab values (1);
INSERT 76448 1
-- SELECTs are forbidden as they should be
delme=> select * from tab;
ERROR: tab: Permission denied.
No file was uploaded with this report