* KaiGai Kohei (kai...@ak.jp.nec.com) wrote: > If rte->requiredPerms would not be cleared, the user of the hook will > be able to check access rights on the child tables, as they like.
This would only be the case for those children which are being touched in the current query, which would depend on what conditionals are applied, what the current setting of check_constraints is, and possibly other factors. I do *not* like this approach. > How about an idea to add a new flag in RangeTblEntry which shows where > the RangeTblEntry came from, instead of clearing requiredPerms? > If the flag is true, I think ExecCheckRTEPerms() can simply skip checks > on the child tables. How about the external module just checks if the current object being queried has parents, and if so, goes and checks the labels/permissions/etc on those children? That way the query either always fails or never fails for a given caller, rather than sometimes working and sometimes not depending on the query. Thanks, Stephen
signature.asc
Description: Digital signature