FORCE ROW LEVEL SECURITY doesn't behave as I would expect.
rhaas=# create policy hideit on foo1 using (a < 3);
CREATE POLICY
rhaas=# explain select * from foo1;
QUERY PLAN
---------------------------------------------------------
Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
(1 row)
rhaas=# alter table foo force row level security;
ALTER TABLE
rhaas=# alter table foo1 enable row level security;
ALTER TABLE
rhaas=# explain select * from foo1;
QUERY PLAN
---------------------------------------------------------
Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
(1 row)
rhaas=# create user bob;
CREATE ROLE
rhaas=# grant select on foo1 to bob;
GRANT
rhaas=# \c - bob
You are now connected to database "rhaas" as user "bob".
rhaas=> select * from foo1;
a | b
---+---
(0 rows)
rhaas=> explain select * from foo1;
QUERY PLAN
--------------------------------------------------------
Seq Scan on foo1 (cost=0.00..25.88 rows=423 width=36)
Filter: (a < 3)
(2 rows)
Isn't the whole purpose of FORCE ROW LEVEL SECURITY to cause RLS to be
applied even for the table owner?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
