Re: Bug: RLS policy FOR SELECT is used to check new rows - Mailing list pgsql-hackers

From Laurenz Albe
Subject Re: Bug: RLS policy FOR SELECT is used to check new rows
Date
Msg-id 3e262d57feca27db919f2a9b1cc88fdc05c1c7a4.camel@cybertec.at
Whole thread Raw
In response to Re: Bug: RLS policy FOR SELECT is used to check new rows  (Robert Haas <robertmhaas@gmail.com>)
List pgsql-hackers
On Mon, 2023-11-13 at 12:57 -0500, Robert Haas wrote:
> On Fri, Nov 10, 2023 at 7:43 AM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
> > So, from my perspective, we should never have let FOR SELECT policies
> > mess with an UPDATE.  But I am too late for that; such a change would
> > be way too invasive now.  So I'd like to introduce a "back door" by
> > creating a FOR SELECT policy with WITH CHECK (TRUE).
>
> In principle I see no problem with some kind of back door here, but
> that seems like it might not be the right way to do it. I don't think
> we want constant true to behave arbitrarily differently than any other
> expression. Maybe that's not what you had in mind and I'm just not
> seeing the full picture, though.

I experimented some more, and I think I see my mistake now.

Currently, the USING clause of FOR SELECT/ALL/UPDATE policies is
an *additional* restriction to the WITH CHECK clause.
So my suggestion of using the WITH CHECK clause *instead of*
the USING clause in FOR SELECT policies would be unprincipled.

Sorry for the noise.

Yours,
Laurenz Albe



pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Version 14/15 documentation Section "Alter Default Privileges"
Next
From: Laurenz Albe
Date:
Subject: Re: Version 14/15 documentation Section "Alter Default Privileges"