Home > mailing lists

Re: Using views for row-level access control is leaky - Mailing list pgsql-hackers

From	Richard Huxton
Subject	Re: Using views for row-level access control is leaky
Date	October 22, 2009 11:30:14
Msg-id	4AE04235.40401@archonet.com Whole thread Raw
In response to	Re: Using views for row-level access control is leaky (Pavel Stehule <pavel.stehule@gmail.com>)
List	pgsql-hackers

Tree view

Pavel Stehule wrote:
>
> postgres=# create or replace function vv(int, int) returns bool as
> $$begin raise notice '% %', $1, $2; return true; end$$ language
> plpgsql COST 0.000001;
> CREATE FUNCTION
> postgres=# select * from v where vv(a,b);NOTICE:  10 20
>  a │ b
> ───┼───
> (0 rows)
>
> still I have not bad result, but, yes, I see what I could not to see.

Ah - that's the problem. It's not possible to get the "hidden" values
into the result set, but it is possible to see them. It only matters if
you are using the view to prevent access to certain rows.

--  Richard Huxton Archonet Ltd

pgsql-hackers by date:

From: Richard Huxton
Date: 22 October 2009, 11:26:24
Subject: Re: Using views for row-level access control is leaky

From: Robert Haas
Date: 22 October 2009, 12:05:06
Subject: Re: Using views for row-level access control is leaky

Re: Using views for row-level access control is leaky - Mailing list pgsql-hackers

Previous

Next