On Fri, Oct 17, 2014 at 3:49 AM, Robert Haas <robertmhaas@gmail.com> wrote:
>>> That's an argument in favour of only applying a read-filtering policy
>>> where a RETURNING clause is present, but that introduces the "surprise!
>>> the effects of your DELETE changed based on an unrelated clause!" issue.
>>
>> No- if we were going to do this, I wouldn't want to change the existing
>> structure but rather provide either:
>>
>> a) a way to simply disable RETURNING if the policy is in effect and the
>> policy creator doesn't wish to allow it
>> b) allow the user to define another clause which would be applied to the
>> rows in the RETURNING set
>
> I think you could probably make the DELETE policy control what can get
> deleted, but then have the SELECT policy further filter what gets
> returned.
+1
That's more intuitive to me because another security feature "privilege"
works in that way, i.e., SELECT privilege not DELETE controls RETURNING.
Another minor problem that I found is that pg_dump always fails when
there is a row-level policy for update. I think that the attached patch
should be applied.
Regards,
--
Fujii Masao
