On Tuesday, January 27, 2026, Steve Chavez <[email protected]> wrote:
> Hello hackers, > > Currently views are not secure by default since they bypass RLS. > PostgreSQL 15 introduced the `WITH (security_invoker = true)` option for > this but it's easy to miss on every new view created. > > It's also inconsistent with functions, which default to SECURITY INVOKER. > I’d be more inclined to change this incompatibility than try to affect action at a distance with a database setting. But suspect the status-quo is likely to prevail. Maybe we need a view of views that reference RLS relations that aren’t security_invoker? Add something to the docs? If one knows enough to enable a database setting they can institute different less problematic solutions as well. Maybe we provide an event trigger example. David J.
