Hi, On Sat, 16 May 2026 at 22:20, Paul A Jungwirth <[email protected]> wrote:
Skipping the RLS checks to insert the leftovers seems like the correct > behavior to me, since we are skipping the ACL checks (per the > standard). Shouldn't it be consistent? > > I think the reason we skip the checks is that semantically, the > leftovers aren't changing anything: they are preserving the history > that is already there. > > I'm happy to write a doc patch to make this explicit. Does anyone > disagree about the correct behavior though? > I'd treat them separately. Skipping INSERT ACL is a standard-driven call about command privilege; RLS WITH CHECK is a per-row predicate on the data, and the leftover really is a new heap tuple written by the current role. With `WITH CHECK (name <> 'denied')` and a pre-existing 'denied' row (loaded by COPY or before the policy), UPDATE FOR PORTION OF that touches only the range column writes leftovers the role could not have INSERTed directly. That's the part that bothers me, especially since RLS tends to be deployed as a hard security boundary rather than something users expect to opt out of per statement type. Please correct me if I'm wrong here. Regards, Ayush
