On 8 April 2015 at 16:27, Stephen Frost <sfrost@snowman.net> wrote: > * Dean Rasheed (dean.a.rasheed@gmail.com) wrote: >> I actually re-used the sql status code 42501 - >> ERRCODE_INSUFFICIENT_PRIVILEGE for a RLS check failure because of the >> parallel with permissions checks, but I quite like Craig's idea of >> inventing a new status code for this, so that it can be more easily >> distinguished from a lack of GRANTed privileges. > > As I mentioned to Kevin, I'm not sure that this is really a useful > distinction. I'm quite curious if other systems provide that > distinction between grant violations and policy violations. If they do > then that would certainly bolster the argument to provide the > distinction in PG. >
OK, on further reflection I think that's probably right.
ERRCODE_INSUFFICIENT_PRIVILEGE is certainly more appropriate than anything based on a WCO violation, because it reflects the fact that the current user isn't allowed to perform the insert/update, but another user might be allowed, so this is a privilege problem, not a data error.
I'd be OK with that too. Reusing WCO's code for something that isn't really "with check option" at all was my concern, really.