* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > I had intended to address with policies what is addressed through
> > permissions with 7d8db3e, but the coverage for INSERT+RETURNING was only
> > done when ON CONFLICT was in use.
>
> > I've fixed that by applying the SELECT policies as WCOs for both the
> > INSERT and UPDATE RETURNING cases. This matches the permissions system,
> > where we require SELECT rights on the table for an INSERT RETURNING
> > query.
>
> What of DELETE RETURNING?
That was handled in 7d8db3e.
Per previous discussion, UPDATE and DELETE RETURNING apply SELECT
policies as security quals, meaning only the records visible through the
SELECT policy are eligible for consideration. INSERT+RETURNING has only
WithCheckOptions, no security quals, which is what makes it different
from the other cases. The INSERT+ON CONFLICT+RETURNING case had been
covered already and I had mistakenly thought it was also covering
INSERT+RETURNING. In fixing that, I realized that Peter makes a good
point that UPDATE+RETURNING should also have SELECT policies applied as
WithCheckOptions.
I'm about to push updated regression tests, as suggested by Andres.
Thanks!
Stephen
