Postgres Pro
Downloads
Home   >   mailing lists

Row security violation error is misleading - Mailing list pgsql-hackers

From Craig Ringer
Subject Row security violation error is misleading
Date
Msg-id CAMsr+YHS9=nnt6Tqq7Lq14oncSisEC2oseOq+8K6HY+tmSiKKw@mail.gmail.com
Whole thread Raw
Responses Re: Row security violation error is misleading
Re: Row security violation error is misleading
Re: Row security violation error is misleading
List pgsql-hackers
Tree view
When attempting to insert a row that violates a row security policy that applies to writes, the error message emitted references WITH CHECK OPTION, even though (as far as the user knows) there's no such thing involved.
If you understand the internals you'd know that row security re-uses the same logic as WITH CHECK OPTION, but it's going to be confusing for users.

postgres=> INSERT INTO clients (account_name, account_manager) VALUES ('peters', 'peter'), ('johannas', 'johanna');
ERROR:  44000: new row violates WITH CHECK OPTION for "clients"
DETAIL:  Failing row contains (7, johannas, johanna).
LOCATION:  ExecWithCheckOptions, execMain.c:1683


... yet "clients" is a table, not a view, and cannot have a WITH CHECK OPTION clause.

There is no reference to the policy being violated or to the fact that it's row security involved.

I think this is going to be very confusing for users. I was expecting to see something more like:

ERROR:  44000: new row in table 'clients' violates row level security policy 'just_own_clients'


Re-using the SQLSTATE 44000 is a bit iffy too. We should probably define something to differentiate this, like:

   44P01 ROW SECURITY WRITE POLICY VIOLATION



(I've finally found some time to try to review the user-facing side of the row security patch as-committed).


--
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

pgsql-hackers by date:

Previous
From: Craig Ringer
Date:
Subject: PATCH: Add 'pid' column to pg_replication_slots
Next
From: Andres Freund
Date:
Subject: Re: Assertion failure when streaming logical changes