Stephen, It'd be great if others who are interested can help define the grammar > changes necessary > and perhaps even help with the code aspect of it.
I'd like to help on both. Can you elaborate a little bit more, especially on the code aspect? I don't buy that argument. It is agreed that blind updates and deletes with RETURNING clause are dangerous. It is quite similar here. Instead of using BEGIN UPDATE-or-DELETE-with-RETURNING ROLLBACK as a substitute for SELECT, a malicious user can do a binary search with some trick like divide-by-zero to figure out rows he is not allowed to access. Of course, this is not as serious as RETURNING, but it is still quite convenient for attackers. Thanks, Zhaomo