Home > mailing lists

Re: Bug: RLS policy FOR SELECT is used to check new rows - Mailing list pgsql-hackers

From	Dean Rasheed
Subject	Re: Bug: RLS policy FOR SELECT is used to check new rows
Date	October 24, 2023 13:59:05
Msg-id	CAEZATCV+-U24XXRZ5jy1+pP_Y8KgxhR_8CaHLfi-dpQkUwsjRQ@mail.gmail.com Whole thread Raw
In response to	Bug: RLS policy FOR SELECT is used to check new rows (Laurenz Albe <laurenz.albe@cybertec.at>)
Responses	Re: Bug: RLS policy FOR SELECT is used to check new rows
List	pgsql-hackers

Tree view

On Tue, 24 Oct 2023 at 09:36, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
>
> I'd say that this error is wrong.  The FOR SELECT policy should be applied
> to the WHERE condition, but certainly not to check new rows.
>

Yes, I had the same thought recently. I would say that the SELECT
policies should only be used to check new rows if the UPDATE has a
RETURNING clause and SELECT permissions are required on the target
relation.

In other words, it should be OK to UPDATE a row to new values that are
not visible according to the table's SELECT policies, provided that
the UPDATE command does not attempt to return those new values. That
would be consistent with what we do for INSERT.

Note, that the current behaviour goes back a long way, though it's not
quite clear whether this was intentional [1].

[1] https://github.com/postgres/postgres/commit/7d8db3e8f37aec9d252353904e77381a18a2fa9f

Regards,
Dean

pgsql-hackers by date:

From: "Drouvot, Bertrand"
Date: 24 October 2023, 13:05:09
Subject: Re: Synchronizing slots from primary to standby

From: Michał Kłeczek
Date: 24 October 2023, 14:22:53
Subject: A case for GIST supporting ORDER BY

Re: Bug: RLS policy FOR SELECT is used to check new rows - Mailing list pgsql-hackers

Previous

Next