I also don't see this behavior documented (this is from process_policies()):
/*
* If we end up with only USING quals, then use those as
* WITH CHECK quals also.
*/
if (with_check_quals == NIL) with_check_quals = copyObject(quals);
Now, I do see a reference to it under "Per-Command policies - ALL". It says:
"If an INSERT or UPDATE command attempts to add rows to the table
which do not pass the ALL WITH CHECK (or USING, if no WITH CHECK
expression is defined) expression, the command will error."
But is that really the right place for it? Does it not equally well
apply to FOR UPDATE policies, that can on their own have both barriers
quals and WITH CHECK options? Basically, that seems to me like a
*generic* property of policies (it's a generic thing that the WITH
CHECK options/expressions "shadow" the USING security barrier quals as
check options), and so should be documented as such.
--
Peter Geoghegan
