Thread: Need SELECT rights to UPDATE/DELETE WHERE?

Need SELECT rights to UPDATE/DELETE WHERE?

From

cpp@world-online.no

Date:

01 February 2005, 07:05:36

PostgreSQL 8.0.0 on WinXP Pro, libpq

In my hands it looks like a user with INSERT/DELETE/UPDATE rights on table1
cannot do "update table1 set field1=xx where field2=yy" without also being
granted select rights. However, the user can do "update table1 set field1=xx".
Is this right? Any explanations why it should be like this and any suggestions
on how to get around it without granting select is greatly appreciated.

KP

Re: Need SELECT rights to UPDATE/DELETE WHERE?

From

Tom Lane

Date:

01 February 2005, 08:34:49

cpp@world-online.no writes:
> In my hands it looks like a user with INSERT/DELETE/UPDATE rights on table1
> cannot do "update table1 set field1=xx where field2=yy" without also being
> granted select rights. However, the user can do "update table1 set field1=xx".
> Is this right?

Yes.  Otherwise you can use UPDATEs to infer something about the content
of the table, eg doupdate table1 set field1 = field1 where field2 = yy
and note the result count to find out whether there are any rows with
field2 = yy.  If you didn't give the other guy SELECT rights then
presumably you do not want him to be able to infer any such thing.
        regards, tom lane