We have row security policy in place on our database. We do not use current_user on the policies but session variables. This all seemed to work perfectly until we started using views.
I have no idea if this is a bug or normal operation as I could not find anything on this in the documentation (9.6 current)
-- we only see row 2 and 3 (as expected) select * from accounts;
-- we see ALL records... not expected select * from test;
Is this a bug? Or am I doing something wrong?
AFAICT, this isn't a bug. Views are executed with the permissions of the owner of the view, not with the permissions of the user executing the query. This view has been created by postgres, so it is executed with the postgres user permissions.