On Mon, Sep 28, 2015 at 03:03:51PM -0400, Stephen Frost wrote: > If SELECT rights are required then apply the SELECT policies, even if > the actual command is an UPDATE or DELETE. This covers the RETURNING > case which was discussed previously, so we don't need the explicit check > for that, and further addresses the concern raised by Zhaomo about > someone abusing the WHERE clause in an UPDATE or DELETE. > > Further, if UPDATE rights are required then apply the UPDATE policies, > even if the actual command is a SELECT. This addresses the concern that > a user might be able to lock rows they're not actually allowed to UPDATE > through the UPDATE policies. > > Comments welcome, of course. Barring concerns, I'll get this pushed > tomorrow.
The CREATE POLICY reference page continues to describe the behavior this patch replaced, not today's behavior. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers