Rod, Robert, * Robert Haas (robertmh...@gmail.com) wrote: > On Fri, Apr 14, 2017 at 9:16 AM, Stephen Frost <sfr...@snowman.net> wrote: > > I agreed already up-thread that there's an issue there and will be > > looking to fix it. That comment was simply replying to Rod's point that > > the documentation could also be improved. > > OK, thanks. The wrap for the next set of minor releases is, according > to my understanding, scheduled for Monday, so you'd better jump on > this soon if you're hoping to get a fix out this time around.
The attached patch against master fixes this issue. Rod, if you get a chance, would be great for you to check that you no longer see a difference between the single ALL policy and the split SELECT/UPDATE policies. Thanks! Stephen
diff --git a/src/backend/rewrite/rowsecurity.c b/src/backend/rewrite/rowsecurity.c new file mode 100644 index 5c8c0cf..5a2c78b *** a/src/backend/rewrite/rowsecurity.c --- b/src/backend/rewrite/rowsecurity.c *************** static void add_with_check_options(Relat *** 78,84 **** List *permissive_policies, List *restrictive_policies, List **withCheckOptions, ! bool *hasSubLinks); static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id); --- 78,85 ---- List *permissive_policies, List *restrictive_policies, List **withCheckOptions, ! bool *hasSubLinks, ! bool force_using); static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id); *************** get_row_security_policies(Query *root, R *** 272,278 **** permissive_policies, restrictive_policies, withCheckOptions, ! hasSubLinks); /* * Get and add ALL/SELECT policies, if SELECT rights are required for --- 273,280 ---- permissive_policies, restrictive_policies, withCheckOptions, ! hasSubLinks, ! false); /* * Get and add ALL/SELECT policies, if SELECT rights are required for *************** get_row_security_policies(Query *root, R *** 295,301 **** select_permissive_policies, select_restrictive_policies, withCheckOptions, ! hasSubLinks); } /* --- 297,304 ---- select_permissive_policies, select_restrictive_policies, withCheckOptions, ! hasSubLinks, ! true); } /* *************** get_row_security_policies(Query *root, R *** 324,330 **** conflict_permissive_policies, conflict_restrictive_policies, withCheckOptions, ! hasSubLinks); /* * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs --- 327,334 ---- conflict_permissive_policies, conflict_restrictive_policies, withCheckOptions, ! hasSubLinks, ! true); /* * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs *************** get_row_security_policies(Query *root, R *** 346,352 **** conflict_select_permissive_policies, conflict_select_restrictive_policies, withCheckOptions, ! hasSubLinks); } /* Enforce the WITH CHECK clauses of the UPDATE policies */ --- 350,357 ---- conflict_select_permissive_policies, conflict_select_restrictive_policies, withCheckOptions, ! hasSubLinks, ! true); } /* Enforce the WITH CHECK clauses of the UPDATE policies */ *************** get_row_security_policies(Query *root, R *** 355,361 **** conflict_permissive_policies, conflict_restrictive_policies, withCheckOptions, ! hasSubLinks); } } --- 360,367 ---- conflict_permissive_policies, conflict_restrictive_policies, withCheckOptions, ! hasSubLinks, ! false); } } *************** add_with_check_options(Relation rel, *** 659,671 **** List *permissive_policies, List *restrictive_policies, List **withCheckOptions, ! bool *hasSubLinks) { ListCell *item; List *permissive_quals = NIL; #define QUAL_FOR_WCO(policy) \ ! ( kind != WCO_RLS_CONFLICT_CHECK && \ (policy)->with_check_qual != NULL ? \ (policy)->with_check_qual : (policy)->qual ) --- 665,678 ---- List *permissive_policies, List *restrictive_policies, List **withCheckOptions, ! bool *hasSubLinks, ! bool force_using) { ListCell *item; List *permissive_quals = NIL; #define QUAL_FOR_WCO(policy) \ ! ( !force_using && \ (policy)->with_check_qual != NULL ? \ (policy)->with_check_qual : (policy)->qual )
signature.asc
Description: Digital signature