* Alvaro Herrera (alvherre@2ndquadrant.com) wrote:
> Robert Haas wrote:
> > On Wed, Sep 23, 2015 at 2:39 PM, Stephen Frost <sfrost@snowman.net> wrote:
> > > * Robert Haas (robertmhaas@gmail.com) wrote:
> > >> On Wed, Sep 23, 2015 at 12:01 PM, Stephen Frost <sfrost@snowman.net> wrote:
> > >> > * Robert Haas (robertmhaas@gmail.com) wrote:
> > >> >> My expectation would have been:
> > >> >>
> > >> >> If you specify USING, you can see only those rows, but you can give
> > >> >> rows away freely. If you don't want to allow giving rows away under
> > >> >> any circumstances, then specify the same expression for USING and WITH
> > >> >> CHECK.
> > >> >
> > >> > Having an implicit 'true' for WITH CHECK would be very much against what
> > >> > I would ever expect. If anything, I'd think we would have an implicit
> > >> > 'false' there or simply not allow it to ever be unspecified.
> > >>
> > >> Huh? If you had an implicit false, wouldn't that prevent updating or
> > >> deleting any rows at all?
> > >
> > > Right, just the same as how, if RLS is enabled and no explicit policies
> > > are provided, non-owners can't see the rows or insert/update/delete
> > > anything in the table. The same is true for the GRANT system, where
> > > there are no permissions granted by default. I view the lack of an
> > > explicit definition of a WITH CHECK clause to be the same, excepting the
> > > simple case where it's the same as USING.
> >
> > Hmm, interesting. I guess that's a defensible position, but I still
> > think that having them default to be the same thing implicitly is
> > kinda weird. I'll defer to whatever the consensus, is, though.
>
> I think an explicit statement of a "true" as WITH CHECK makes more sense
> -- I think Stephen suggested it upthread as making the WITH CHECK be
> mandatory. If you really want to allow rows to be "given away" (which
> could be a security issue), a "WITH CHECK (true)" is easy enough to
> specify.
Right, the options, in my view at least, are:
1) keep it as-is
2) make WITH CHECK mandatory
3) keep WITH CHECK optional, but default it to 'false' instead
If an administrator really wants WITH CHECK to be 'true', then they can
always add that clause in explicitly, but that really shouldn't be the
default.
For my part at least, I'm still preferring #1, but if there's a
consensus around #2 or #3 among the others interested then I'm happy to
make the actual code changes required.
Thanks!
Stephen
