> Foreign Key deletions could be handled correctly if you treat them as > updates. If we have the following example > > TableA > security_context=y value=2 fk=1 > > TableB > security_context=x value=1 > > TableA refers to TableB. Context x cannot see context y. > > So if somebody with context x tries to delete value1 from TableB, they > will be refused because of a row they cannot see. In this case the > correct action is to update the tuple in TableB so it now has a > security_context = y. The user with x cannot see it and can be persuaded > he deleted it, while the user with y can still see it.
It seems odd for a low-privilege user to be able to elevate the privilege of a tuple above their own privilege level. I also don't believe that the privilege level is a total order, which might make this something of a sticky wicket. But those are just my thoughts as a non-guru. ...Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers