On 9 April 2015 at 14:56, Dean Rasheed <dean.a.rash...@gmail.com> wrote:
> On 8 April 2015 at 16:27, Stephen Frost <sfr...@snowman.net> wrote: > > * Dean Rasheed (dean.a.rash...@gmail.com) wrote: > >> I actually re-used the sql status code 42501 - > >> ERRCODE_INSUFFICIENT_PRIVILEGE for a RLS check failure because of the > >> parallel with permissions checks, but I quite like Craig's idea of > >> inventing a new status code for this, so that it can be more easily > >> distinguished from a lack of GRANTed privileges. > > > > As I mentioned to Kevin, I'm not sure that this is really a useful > > distinction. I'm quite curious if other systems provide that > > distinction between grant violations and policy violations. If they do > > then that would certainly bolster the argument to provide the > > distinction in PG. > > > > OK, on further reflection I think that's probably right. > > ERRCODE_INSUFFICIENT_PRIVILEGE is certainly more appropriate than > anything based on a WCO violation, because it reflects the fact that > the current user isn't allowed to perform the insert/update, but > another user might be allowed, so this is a privilege problem, not a > data error. > I'd be OK with that too. Reusing WCO's code for something that isn't really "with check option" at all was my concern, really. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services