WIP patch for updatable security barrier views

>From 8bd08e9bb9c984d017512536a17b4578f4c1c157 Mon Sep 17 00:00:00 2001
From: Craig Ringer <craig@2ndquadrant.com>
Date: Fri, 13 Dec 2013 21:47:22 +0800
Subject: [PATCH] Updatable views WIP 2

---
 src/backend/commands/tablecmds.c       |   6 +-
 src/backend/commands/view.c            |  11 +-
 src/backend/optimizer/plan/planmain.c  |  16 ++
 src/backend/optimizer/plan/setrefs.c   |  12 +-
 src/backend/optimizer/prep/preptlist.c |   9 +-
 src/backend/rewrite/rewriteHandler.c   | 333 +++++++++++++--------------------
 src/include/nodes/relation.h           |  14 +-
 src/include/optimizer/prep.h           |   3 +
 src/include/rewrite/rewriteHandler.h   |   1 -
 9 files changed, 185 insertions(+), 220 deletions(-)

diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
index b9cd88d..a984c03 100644
--- a/src/backend/commands/tablecmds.c
+++ b/src/backend/commands/tablecmds.c
@@ -8806,7 +8806,6 @@ ATExecSetRelOptions(Relation rel, List *defList, AlterTableType operation,
 		List	   *view_options = untransformRelOptions(newOptions);
 		ListCell   *cell;
 		bool		check_option = false;
-		bool		security_barrier = false;
 
 		foreach(cell, view_options)
 		{
@@ -8814,8 +8813,6 @@ ATExecSetRelOptions(Relation rel, List *defList, AlterTableType operation,
 
 			if (pg_strcasecmp(defel->defname, "check_option") == 0)
 				check_option = true;
-			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
-				security_barrier = defGetBoolean(defel);
 		}
 
 		/*
@@ -8825,8 +8822,7 @@ ATExecSetRelOptions(Relation rel, List *defList, AlterTableType operation,
 		if (check_option)
 		{
 			const char *view_updatable_error =
-				view_query_is_auto_updatable(view_query,
-											 security_barrier, true);
+				view_query_is_auto_updatable(view_query, true);
 
 			if (view_updatable_error)
 				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
index 0703c05..ff84cfb 100644
--- a/src/backend/commands/view.c
+++ b/src/backend/commands/view.c
@@ -314,8 +314,11 @@ DefineViewRules(Oid viewOid, Query *viewParse, bool replace)
 					   list_make1(viewParse));
 
 	/*
-	 * Someday: automatic ON INSERT, etc
+	 * No automatic ON INSERT, etc is needed, since DML can operate
+	 * directly on the subquery expansion of the SELECT view with
+	 * a little massaging. See the rewriter.
 	 */
+
 }
 
 /*---------------------------------------------------------------
@@ -396,7 +399,6 @@ DefineView(ViewStmt *stmt, const char *queryString)
 	RangeVar   *view;
 	ListCell   *cell;
 	bool		check_option;
-	bool		security_barrier;
 
 	/*
 	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
@@ -451,7 +453,6 @@ DefineView(ViewStmt *stmt, const char *queryString)
 	 * specified.
 	 */
 	check_option = false;
-	security_barrier = false;
 
 	foreach(cell, stmt->options)
 	{
@@ -459,8 +460,6 @@ DefineView(ViewStmt *stmt, const char *queryString)
 
 		if (pg_strcasecmp(defel->defname, "check_option") == 0)
 			check_option = true;
-		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
-			security_barrier = defGetBoolean(defel);
 	}
 
 	/*
@@ -470,7 +469,7 @@ DefineView(ViewStmt *stmt, const char *queryString)
 	if (check_option)
 	{
 		const char *view_updatable_error =
-			view_query_is_auto_updatable(viewParse, security_barrier, true);
+			view_query_is_auto_updatable(viewParse, true);
 
 		if (view_updatable_error)
 			ereport(ERROR,
diff --git a/src/backend/optimizer/plan/planmain.c b/src/backend/optimizer/plan/planmain.c
index 3a4e836..5bd7e31 100644
--- a/src/backend/optimizer/plan/planmain.c
+++ b/src/backend/optimizer/plan/planmain.c
@@ -126,6 +126,22 @@ query_planner(PlannerInfo *root, List *tlist,
 	add_base_rels_to_query(root, (Node *) parse->jointree);
 
 	/*
+	 * The top query's resultRelation RTI may not be referenced in the query
+	 * tree its self, so we need to ensure it gets cached too. Curently arises
+	 * when we're doing DML on a view, where the injected top-level RTE for the
+	 * view's base rel isn't referenced in the query tree.
+	 *
+	 * It is marked RELOPT_RESULTREL because it isn't quite "dead" - it
+	 * must appear in the top level flattened range table of the plan tree
+	 * - but neither does it appear in the join tree and shouldn't be
+	 *   considered in path generation.
+	 */
+	if (root->parse->resultRelation && root->simple_rel_array[root->parse->resultRelation] == NULL)
+		(void) build_simple_rel(root, root->parse->resultRelation, RELOPT_RESULTREL);
+
+	Assert(root->parse->resultRelation == 0 || root->simple_rel_array[root->parse->resultRelation] != NULL);
+
+	/*
 	 * Examine the targetlist and join tree, adding entries to baserel
 	 * targetlists for all referenced Vars, and generating PlaceHolderInfo
 	 * entries for all referenced PlaceHolderVars.	Restrict and join clauses
diff --git a/src/backend/optimizer/plan/setrefs.c b/src/backend/optimizer/plan/setrefs.c
index 5c9f3d6..f503b83 100644
--- a/src/backend/optimizer/plan/setrefs.c
+++ b/src/backend/optimizer/plan/setrefs.c
@@ -268,6 +268,9 @@ add_rtes_to_flat_rtable(PlannerInfo *root, bool recursing)
 	 * Note: this pass over the rangetable can't be combined with the previous
 	 * one, because that would mess up the numbering of the live RTEs in the
 	 * flattened rangetable.
+	 *
+	 * This *only* scans the range-table; it won't see dead subqueries in
+	 * WHERE clauses, etc.
 	 */
 	rti = 1;
 	foreach(lc, root->parse->rtable)
@@ -279,8 +282,15 @@ add_rtes_to_flat_rtable(PlannerInfo *root, bool recursing)
 		 * pulled up into our rangetable already.  Also ignore any subquery
 		 * RTEs without matching RelOptInfos, as they likewise have been
 		 * pulled up.
+		 *
+		 * Testing simple_rel_array_size here ensures that we don't try to access
+		 * root->simple_rel_array when it isn't defined in the simple-query fast-path
+		 * where the join tree is empty - see query_planner(...) in planmain.c.
+		 * This code only ever worked without this test because we don't add dead
+		 * subqueries in WHERE/HAVING/etc to the range-table so if the join tree
+		 * was empty this condition could never be true.
 		 */
-		if (rte->rtekind == RTE_SUBQUERY && !rte->inh)
+		if (rte->rtekind == RTE_SUBQUERY && !rte->inh && root->simple_rel_array_size != 0)
 		{
 			RelOptInfo *rel = root->simple_rel_array[rti];
 
diff --git a/src/backend/optimizer/prep/preptlist.c b/src/backend/optimizer/prep/preptlist.c
index fb67f9e..80db564 100644
--- a/src/backend/optimizer/prep/preptlist.c
+++ b/src/backend/optimizer/prep/preptlist.c
@@ -35,11 +35,6 @@
 #include "parser/parse_coerce.h"
 #include "utils/rel.h"
 
-
-static List *expand_targetlist(List *tlist, int command_type,
-				  Index result_relation, List *range_table);
-
-
 /*
  * preprocess_targetlist
  *	  Driver for preprocessing the parse tree targetlist.
@@ -58,6 +53,8 @@ preprocess_targetlist(PlannerInfo *root, List *tlist)
 	/*
 	 * Sanity check: if there is a result relation, it'd better be a real
 	 * relation not a subquery.  Else parser or rewriter messed up.
+	 * This is true even if we're updating a view/subquery; the result_relation
+	 * must still be the underlying relation RTE.
 	 */
 	if (result_relation)
 	{
@@ -193,7 +190,7 @@ preprocess_targetlist(PlannerInfo *root, List *tlist)
  *	  add targetlist entries for any missing attributes, and ensure the
  *	  non-junk attributes appear in proper field order.
  */
-static List *
+List *
 expand_targetlist(List *tlist, int command_type,
 				  Index result_relation, List *range_table)
 {
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
index 50cb753..bb32e45 100644
--- a/src/backend/rewrite/rewriteHandler.c
+++ b/src/backend/rewrite/rewriteHandler.c
@@ -28,6 +28,7 @@
 #include "utils/builtins.h"
 #include "utils/lsyscache.h"
 #include "utils/rel.h"
+#include "nodes/print.h" /* Temporary for elog_print_display only */
 
 
 /* We use a list of these to detect recursion in RewriteQuery */
@@ -1973,7 +1974,7 @@ view_col_is_auto_updatable(RangeTblRef *rtr, TargetEntry *tle)
  * updatable.
  */
 const char *
-view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
+view_query_is_auto_updatable(Query *viewquery,
 							 bool check_cols)
 {
 	RangeTblRef *rtr;
@@ -2048,14 +2049,6 @@ view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
 		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
 
 	/*
-	 * For now, we also don't support security-barrier views, because of the
-	 * difficulty of keeping upper-level qual expressions away from
-	 * lower-level data.  This might get relaxed in the future.
-	 */
-	if (security_barrier)
-		return gettext_noop("Security-barrier views are not automatically updatable.");
-
-	/*
 	 * The view query should select from a single base relation, which must be
 	 * a table or another view.
 	 */
@@ -2304,7 +2297,6 @@ relation_is_updatable(Oid reloid,
 		Query	   *viewquery = get_view_query(rel);
 
 		if (view_query_is_auto_updatable(viewquery,
-										 RelationIsSecurityView(rel),
 										 false) == NULL)
 		{
 			Bitmapset  *updatable_cols;
@@ -2452,15 +2444,14 @@ rewriteTargetView(Query *parsetree, Relation view)
 	RangeTblEntry *view_rte;
 	RangeTblEntry *new_rte;
 	Relation	base_rel;
-	List	   *view_targetlist;
 	ListCell   *lc;
+	const int command_type = parsetree->commandType;
 
 	/* The view must be updatable, else fail */
 	viewquery = get_view_query(view);
 
 	auto_update_detail =
 		view_query_is_auto_updatable(viewquery,
-									 RelationIsSecurityView(view),
 									 parsetree->commandType != CMD_DELETE);
 
 	if (auto_update_detail)
@@ -2589,15 +2580,32 @@ rewriteTargetView(Query *parsetree, Relation view)
 	heap_close(base_rel, NoLock);
 
 	/*
+	 * For UPDATE, add references to all columns of the base relation to the
+	 * expanded subquery if they weren't already present. We need all cols of
+	 * the base relation to generate the new tuple, even though they aren't
+	 * visible directly to the view user. These must not be revealed in
+	 * a RETURNING clause, and do *not* need the select permission bit on them
+	 * since the user won't ever actually see them.
+	 *
+	 * There's no need to sort these into the proper attribute ordering;
+	 * that'll be done for us in the next rewrite pass.
+	 */
+	if (command_type == CMD_INSERT || command_type == CMD_UPDATE)
+		parsetree->targetList = expand_targetlist(parsetree->targetList, command_type, 
+						  						  parsetree->resultRelation, parsetree->rtable);
+
+	/*
 	 * Create a new target RTE describing the base relation, and add it to the
-	 * outer query's rangetable.  (What's happening in the next few steps is
-	 * very much like what the planner would do to "pull up" the view into the
-	 * outer query.  Perhaps someday we should refactor things enough so that
-	 * we can share code with the planner.)
+	 * outer query's rangetable, then set it as the targetRelation for the query.
+	 * 
+	 * We don't do any pull-up here; the optimizer will do it for non-security-barrier
+	 * views later if it feels like it. The purpose of this RTE is to be the targetRelation,
+	 * and to be the vehicle for write-permission checks against this view.
 	 */
 	new_rte = (RangeTblEntry *) copyObject(base_rte);
 	parsetree->rtable = lappend(parsetree->rtable, new_rte);
 	new_rt_index = list_length(parsetree->rtable);
+	parsetree->resultRelation = new_rt_index;
 
 	/*
 	 * INSERTs never inherit.  For UPDATE/DELETE, we use the view query's
@@ -2607,21 +2615,6 @@ rewriteTargetView(Query *parsetree, Relation view)
 		new_rte->inh = false;
 
 	/*
-	 * Make a copy of the view's targetlist, adjusting its Vars to reference
-	 * the new target RTE, ie make their varnos be new_rt_index instead of
-	 * base_rt_index.  There can be no Vars for other rels in the tlist, so
-	 * this is sufficient to pull up the tlist expressions for use in the
-	 * outer query.  The tlist will provide the replacement expressions used
-	 * by ReplaceVarsFromTargetList below.
-	 */
-	view_targetlist = copyObject(viewquery->targetList);
-
-	ChangeVarNodes((Node *) view_targetlist,
-				   base_rt_index,
-				   new_rt_index,
-				   0);
-
-	/*
 	 * Mark the new target RTE for the permissions checks that we want to
 	 * enforce against the view owner, as distinct from the query caller.  At
 	 * the relation level, require the same INSERT/UPDATE/DELETE permissions
@@ -2650,179 +2643,123 @@ rewriteTargetView(Query *parsetree, Relation view)
 	 * that does not correspond to what happens in ordinary SELECT usage of a
 	 * view: all referenced columns must have read permission, even if
 	 * optimization finds that some of them can be discarded during query
-	 * transformation.	The flattening we're doing here is an optional
-	 * optimization, too.  (If you are unpersuaded and want to change this,
-	 * note that applying adjust_view_column_set to view_rte->selectedCols is
-	 * clearly *not* the right answer, since that neglects base-rel columns
-	 * used in the view's WHERE quals.)
+	 * transformation.
+	 *
+	 * (If you are unpersuaded and want to change this, note that applying
+	 * adjust_view_column_set to view_rte->selectedCols is clearly *not*
+	 * the right answer, since that neglects base-rel columns used in the
+	 * view's WHERE quals.)
 	 *
 	 * This step needs the modified view targetlist, so we have to do things
 	 * in this order.
 	 */
 	Assert(bms_is_empty(new_rte->modifiedCols));
 	new_rte->modifiedCols = adjust_view_column_set(view_rte->modifiedCols,
-												   view_targetlist);
-
-	/*
-	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
-	 * TLE for the view to the end of the targetlist, which we no longer need.
-	 * Remove it to avoid unnecessary work when we process the targetlist.
-	 * Note that when we recurse through rewriteQuery a new junk TLE will be
-	 * added to allow the executor to find the proper row in the new target
-	 * relation.  (So, if we failed to do this, we might have multiple junk
-	 * TLEs with the same name, which would be disastrous.)
-	 */
-	if (parsetree->commandType != CMD_INSERT)
-	{
-		TargetEntry *tle = (TargetEntry *) llast(parsetree->targetList);
-
-		Assert(tle->resjunk);
-		Assert(IsA(tle->expr, Var) &&
-			   ((Var *) tle->expr)->varno == parsetree->resultRelation &&
-			   ((Var *) tle->expr)->varattno == 0);
-		parsetree->targetList = list_delete_ptr(parsetree->targetList, tle);
-	}
-
-	/*
-	 * Now update all Vars in the outer query that reference the view to
-	 * reference the appropriate column of the base relation instead.
-	 */
-	parsetree = (Query *)
-		ReplaceVarsFromTargetList((Node *) parsetree,
-								  parsetree->resultRelation,
-								  0,
-								  view_rte,
-								  view_targetlist,
-								  REPLACEVARS_REPORT_ERROR,
-								  0,
-								  &parsetree->hasSubLinks);
-
-	/*
-	 * Update all other RTI references in the query that point to the view
-	 * (for example, parsetree->resultRelation itself) to point to the new
-	 * base relation instead.  Vars will not be affected since none of them
-	 * reference parsetree->resultRelation any longer.
-	 */
-	ChangeVarNodes((Node *) parsetree,
-				   parsetree->resultRelation,
-				   new_rt_index,
-				   0);
-	Assert(parsetree->resultRelation == new_rt_index);
-
-	/*
-	 * For INSERT/UPDATE we must also update resnos in the targetlist to refer
-	 * to columns of the base relation, since those indicate the target
-	 * columns to be affected.
-	 *
-	 * Note that this destroys the resno ordering of the targetlist, but that
-	 * will be fixed when we recurse through rewriteQuery, which will invoke
-	 * rewriteTargetListIU again on the updated targetlist.
-	 */
-	if (parsetree->commandType != CMD_DELETE)
-	{
-		foreach(lc, parsetree->targetList)
-		{
-			TargetEntry *tle = (TargetEntry *) lfirst(lc);
-			TargetEntry *view_tle;
-
-			if (tle->resjunk)
-				continue;
-
-			view_tle = get_tle_by_resno(view_targetlist, tle->resno);
-			if (view_tle != NULL && !view_tle->resjunk && IsA(view_tle->expr, Var))
-				tle->resno = ((Var *) view_tle->expr)->varattno;
-			else
-				elog(ERROR, "attribute number %d not found in view targetlist",
-					 tle->resno);
-		}
-	}
-
-	/*
-	 * For UPDATE/DELETE, pull up any WHERE quals from the view.  We know that
-	 * any Vars in the quals must reference the one base relation, so we need
-	 * only adjust their varnos to reference the new target (just the same as
-	 * we did with the view targetlist).
-	 *
-	 * For INSERT, the view's quals can be ignored in the main query.
-	 */
-	if (parsetree->commandType != CMD_INSERT &&
-		viewquery->jointree->quals != NULL)
-	{
-		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
-
-		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
-		AddQual(parsetree, (Node *) viewqual);
-	}
-
-	/*
-	 * For INSERT/UPDATE, if the view has the WITH CHECK OPTION, or any parent
-	 * view specified WITH CASCADED CHECK OPTION, add the quals from the view
-	 * to the query's withCheckOptions list.
-	 */
-	if (parsetree->commandType != CMD_DELETE)
-	{
-		bool		has_wco = RelationHasCheckOption(view);
-		bool		cascaded = RelationHasCascadedCheckOption(view);
-
-		/*
-		 * If the parent view has a cascaded check option, treat this view as
-		 * if it also had a cascaded check option.
-		 *
-		 * New WithCheckOptions are added to the start of the list, so if there
-		 * is a cascaded check option, it will be the first item in the list.
-		 */
-		if (parsetree->withCheckOptions != NIL)
-		{
-			WithCheckOption *parent_wco =
-				(WithCheckOption *) linitial(parsetree->withCheckOptions);
-
-			if (parent_wco->cascaded)
-			{
-				has_wco = true;
-				cascaded = true;
-			}
-		}
-
-		/*
-		 * Add the new WithCheckOption to the start of the list, so that
-		 * checks on inner views are run before checks on outer views, as
-		 * required by the SQL standard.
-		 *
-		 * If the new check is CASCADED, we need to add it even if this view
-		 * has no quals, since there may be quals on child views.  A LOCAL
-		 * check can be omitted if this view has no quals.
-		 */
-		if (has_wco && (cascaded || viewquery->jointree->quals != NULL))
-		{
-			WithCheckOption *wco;
-
-			wco = makeNode(WithCheckOption);
-			wco->viewname = pstrdup(RelationGetRelationName(view));
-			wco->qual = NULL;
-			wco->cascaded = cascaded;
-
-			parsetree->withCheckOptions = lcons(wco,
-												parsetree->withCheckOptions);
-
-			if (viewquery->jointree->quals != NULL)
-			{
-				wco->qual = (Node *) copyObject(viewquery->jointree->quals);
-				ChangeVarNodes(wco->qual, base_rt_index, new_rt_index, 0);
-
-				/*
-				 * Make sure that the query is marked correctly if the added
-				 * qual has sublinks.  We can skip this check if the query is
-				 * already marked, or if the command is an UPDATE, in which
-				 * case the same qual will have already been added to the
-				 * query's WHERE clause, and AddQual will have already done
-				 * this check.
-				 */
-				if (!parsetree->hasSubLinks &&
-					parsetree->commandType != CMD_UPDATE)
-					parsetree->hasSubLinks = checkExprHasSubLink(wco->qual);
-			}
-		}
-	}
+												   viewquery->targetList);
+
+ 	/*
+ 	 * For INSERT/UPDATE we must also update resnos in the targetlist to refer
+ 	 * to columns of the base relation, since those indicate the target
+ 	 * columns to be affected.
+ 	 *
+ 	 * Note that this destroys the resno ordering of the targetlist, but that
+ 	 * will be fixed when we recurse through rewriteQuery, which will invoke
+ 	 * rewriteTargetListIU again on the updated targetlist.
+ 	 *
+ 	 * Failure to perform this step would cause UPDATEs or INSERTs on 
+ 	 * a view with a different column ordering to the base relation to fail.
+ 	 */
+ 	if (parsetree->commandType != CMD_DELETE)
+ 	{
+ 		foreach(lc, parsetree->targetList)
+ 		{
+ 			TargetEntry *tle = (TargetEntry *) lfirst(lc);
+ 			TargetEntry *view_tle;
+ 
+ 			if (tle->resjunk)
+ 				continue;
+ 
+ 			view_tle = get_tle_by_resno(viewquery->targetList, tle->resno);
+ 			if (view_tle != NULL && !view_tle->resjunk && IsA(view_tle->expr, Var))
+ 				tle->resno = ((Var *) view_tle->expr)->varattno;
+ 			else
+ 				elog(ERROR, "attribute number %d not found in view targetlist",
+ 					 tle->resno);
+ 		}
+ 	}
+ 
+ 	/*
+ 	 * For INSERT/UPDATE, if the view has the WITH CHECK OPTION, or any parent
+ 	 * view specified WITH CASCADED CHECK OPTION, add the quals from the view
+ 	 * to the query's withCheckOptions list.
+ 	 */
+ 	if (parsetree->commandType != CMD_DELETE)
+ 	{
+ 		bool		has_wco = RelationHasCheckOption(view);
+ 		bool		cascaded = RelationHasCascadedCheckOption(view);
+ 
+ 		/*
+ 		 * If the parent view has a cascaded check option, treat this view as
+ 		 * if it also had a cascaded check option.
+ 		 *
+ 		 * New WithCheckOptions are added to the start of the list, so if there
+ 		 * is a cascaded check option, it will be the first item in the list.
+ 		 */
+ 		if (parsetree->withCheckOptions != NIL)
+ 		{
+ 			WithCheckOption *parent_wco =
+ 				(WithCheckOption *) linitial(parsetree->withCheckOptions);
+ 
+ 			if (parent_wco->cascaded)
+ 			{
+ 				has_wco = true;
+ 				cascaded = true;
+ 			}
+ 		}
+ 
+ 		/*
+ 		 * Add the new WithCheckOption to the start of the list, so that
+ 		 * checks on inner views are run before checks on outer views, as
+ 		 * required by the SQL standard.
+ 		 *
+ 		 * If the new check is CASCADED, we need to add it even if this view
+ 		 * has no quals, since there may be quals on child views.  A LOCAL
+ 		 * check can be omitted if this view has no quals.
+ 		 */
+ 		if (has_wco && (cascaded || viewquery->jointree->quals != NULL))
+ 		{
+ 			WithCheckOption *wco;
+ 
+ 			wco = makeNode(WithCheckOption);
+ 			wco->viewname = pstrdup(RelationGetRelationName(view));
+ 			wco->qual = NULL;
+ 			wco->cascaded = cascaded;
+ 
+ 			parsetree->withCheckOptions = lcons(wco,
+ 												parsetree->withCheckOptions);
+ 
+ 			if (viewquery->jointree->quals != NULL)
+ 			{
+ 				wco->qual = (Node *) copyObject(viewquery->jointree->quals);
+ 				ChangeVarNodes(wco->qual, base_rt_index, new_rt_index, 0);
+ 
+ 				/*
+ 				 * Make sure that the query is marked correctly if the added
+ 				 * qual has sublinks.  We can skip this check if the query is
+ 				 * already marked, or if the command is an UPDATE, in which
+ 				 * case the same qual will have already been added to the
+ 				 * query's WHERE clause, and AddQual will have already done
+ 				 * this check.
+ 				 */
+ 				if (!parsetree->hasSubLinks &&
+ 					parsetree->commandType != CMD_UPDATE)
+ 					parsetree->hasSubLinks = checkExprHasSubLink(wco->qual);
+ 			}
+ 		}
+ 	}
+
+    elog_node_display(LOG, "parse_tree after upd view rewrite", parsetree,
+                      true);
 
 	return parsetree;
 }
diff --git a/src/include/nodes/relation.h b/src/include/nodes/relation.h
index 6d7b594..70c2972 100644
--- a/src/include/nodes/relation.h
+++ b/src/include/nodes/relation.h
@@ -275,7 +275,7 @@ typedef struct PlannerInfo
  * is the joining of two or more base rels.  A joinrel is identified by
  * the set of RT indexes for its component baserels.  We create RelOptInfo
  * nodes for each baserel and joinrel, and store them in the PlannerInfo's
- * simple_rel_array and join_rel_list respectively.
+ * simple_rel_array and join_rel_list respectively. 
  *
  * Note that there is only one joinrel for any given set of component
  * baserels, no matter what order we assemble them in; so an unordered
@@ -283,10 +283,17 @@ typedef struct PlannerInfo
  *
  * We also have "other rels", which are like base rels in that they refer to
  * single RT indexes; but they are not part of the join tree, and are given
- * a different RelOptKind to identify them.  Lastly, there is a RelOptKind
+ * a different RelOptKind to identify them.  There is also a RelOptKind
  * for "dead" relations, which are base rels that we have proven we don't
  * need to join after all.
  *
+ * A "resultrel" (RELOPT_RESULTREL) is a relation that doesn't appear in the join
+ * tree, and is used only as the target for the ModifyTable node in an
+ * INSERT/UPDATE/DELETE. This arises when we're updating a view or subquery, as
+ * the RTE for the target is buried in a subquery and the ModifyTable node
+ * needs one at the top level. The injected RTE is marked RELOPT_RESULTREL
+ * so it isn't considered in join tree sanity checking, etc.
+ *
  * Currently the only kind of otherrels are those made for member relations
  * of an "append relation", that is an inheritance set or UNION ALL subquery.
  * An append relation has a parent RTE that is a base rel, which represents
@@ -404,7 +411,8 @@ typedef enum RelOptKind
 	RELOPT_BASEREL,
 	RELOPT_JOINREL,
 	RELOPT_OTHER_MEMBER_REL,
-	RELOPT_DEADREL
+	RELOPT_DEADREL,
+	RELOPT_RESULTREL
 } RelOptKind;
 
 typedef struct RelOptInfo
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
index 0934e63..e37b8a5 100644
--- a/src/include/optimizer/prep.h
+++ b/src/include/optimizer/prep.h
@@ -40,6 +40,9 @@ extern Expr *canonicalize_qual(Expr *qual);
  */
 extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
 
+extern List *expand_targetlist(List *tlist, int command_type,
+							   Index result_relation, List *range_table);
+
 extern PlanRowMark *get_plan_rowmark(List *rowmarks, Index rtindex);
 
 /*
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
index c959590..ce56d7b 100644
--- a/src/include/rewrite/rewriteHandler.h
+++ b/src/include/rewrite/rewriteHandler.h
@@ -23,7 +23,6 @@ extern void AcquireRewriteLocks(Query *parsetree, bool forUpdatePushedDown);
 extern Node *build_column_default(Relation rel, int attrno);
 extern Query *get_view_query(Relation view);
 extern const char *view_query_is_auto_updatable(Query *viewquery,
-										 bool security_barrier,
 										 bool check_cols);
 extern int	relation_is_updatable(Oid reloid,
 						  bool include_triggers,
-- 
1.8.3.1

diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml
new file mode 100644
index e0fbe1e..888410f
*** a/doc/src/sgml/ref/create_view.sgml
--- b/doc/src/sgml/ref/create_view.sgml
*************** CREATE VIEW vista AS SELECT text 'Hello
*** 323,334 ****
         or set-returning functions.
        </para>
       </listitem>
- 
-      <listitem>
-       <para>
-        The view must not have the <literal>security_barrier</> property.
-       </para>
-      </listitem>
      </itemizedlist>
     </para>
  
--- 323,328 ----
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
new file mode 100644
index b9cd88d..a984c03
*** a/src/backend/commands/tablecmds.c
--- b/src/backend/commands/tablecmds.c
*************** ATExecSetRelOptions(Relation rel, List *
*** 8806,8812 ****
  		List	   *view_options = untransformRelOptions(newOptions);
  		ListCell   *cell;
  		bool		check_option = false;
- 		bool		security_barrier = false;
  
  		foreach(cell, view_options)
  		{
--- 8806,8811 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8814,8821 ****
  
  			if (pg_strcasecmp(defel->defname, "check_option") == 0)
  				check_option = true;
- 			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 				security_barrier = defGetBoolean(defel);
  		}
  
  		/*
--- 8813,8818 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8825,8832 ****
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query,
! 											 security_barrier, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
--- 8822,8828 ----
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
new file mode 100644
index 0703c05..8a43aa4
*** a/src/backend/commands/view.c
--- b/src/backend/commands/view.c
*************** DefineView(ViewStmt *stmt, const char *q
*** 396,402 ****
  	RangeVar   *view;
  	ListCell   *cell;
  	bool		check_option;
- 	bool		security_barrier;
  
  	/*
  	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
--- 396,401 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 451,457 ****
  	 * specified.
  	 */
  	check_option = false;
- 	security_barrier = false;
  
  	foreach(cell, stmt->options)
  	{
--- 450,455 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 459,466 ****
  
  		if (pg_strcasecmp(defel->defname, "check_option") == 0)
  			check_option = true;
- 		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 			security_barrier = defGetBoolean(defel);
  	}
  
  	/*
--- 457,462 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 470,476 ****
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, security_barrier, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
--- 466,472 ----
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
new file mode 100644
index e4184c5..255ade9
*** a/src/backend/nodes/copyfuncs.c
--- b/src/backend/nodes/copyfuncs.c
*************** _copyRangeTblEntry(const RangeTblEntry *
*** 1998,2003 ****
--- 1998,2004 ----
  	COPY_SCALAR_FIELD(checkAsUser);
  	COPY_BITMAPSET_FIELD(selectedCols);
  	COPY_BITMAPSET_FIELD(modifiedCols);
+ 	COPY_NODE_FIELD(securityQuals);
  
  	return newnode;
  }
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
new file mode 100644
index 0cdb947..cab71ac
*** a/src/backend/nodes/equalfuncs.c
--- b/src/backend/nodes/equalfuncs.c
*************** _equalRangeTblEntry(const RangeTblEntry
*** 2278,2283 ****
--- 2278,2284 ----
  	COMPARE_SCALAR_FIELD(checkAsUser);
  	COMPARE_BITMAPSET_FIELD(selectedCols);
  	COMPARE_BITMAPSET_FIELD(modifiedCols);
+ 	COMPARE_NODE_FIELD(securityQuals);
  
  	return true;
  }
diff --git a/src/backend/nodes/nodeFuncs.c b/src/backend/nodes/nodeFuncs.c
new file mode 100644
index 17626f9..9bb62ba
*** a/src/backend/nodes/nodeFuncs.c
--- b/src/backend/nodes/nodeFuncs.c
*************** range_table_walker(List *rtable,
*** 2020,2025 ****
--- 2020,2028 ----
  					return true;
  				break;
  		}
+ 
+ 		if (walker(rte->securityQuals, context))
+ 			return true;
  	}
  	return false;
  }
*************** range_table_mutator(List *rtable,
*** 2755,2760 ****
--- 2758,2764 ----
  				MUTATE(newrte->values_lists, rte->values_lists, List *);
  				break;
  		}
+ 		MUTATE(newrte->securityQuals, rte->securityQuals, List *);
  		newrt = lappend(newrt, newrte);
  	}
  	return newrt;
diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c
new file mode 100644
index 4f63906..43502b0
*** a/src/backend/nodes/outfuncs.c
--- b/src/backend/nodes/outfuncs.c
*************** _outRangeTblEntry(StringInfo str, const
*** 2409,2414 ****
--- 2409,2415 ----
  	WRITE_OID_FIELD(checkAsUser);
  	WRITE_BITMAPSET_FIELD(selectedCols);
  	WRITE_BITMAPSET_FIELD(modifiedCols);
+ 	WRITE_NODE_FIELD(securityQuals);
  }
  
  static void
diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c
new file mode 100644
index aba6d4e..941c038
*** a/src/backend/nodes/readfuncs.c
--- b/src/backend/nodes/readfuncs.c
*************** _readRangeTblEntry(void)
*** 1250,1255 ****
--- 1250,1256 ----
  	READ_OID_FIELD(checkAsUser);
  	READ_BITMAPSET_FIELD(selectedCols);
  	READ_BITMAPSET_FIELD(modifiedCols);
+ 	READ_NODE_FIELD(securityQuals);
  
  	READ_DONE();
  }
diff --git a/src/backend/optimizer/plan/planner.c b/src/backend/optimizer/plan/planner.c
new file mode 100644
index 1da4b2f..93097b0
*** a/src/backend/optimizer/plan/planner.c
--- b/src/backend/optimizer/plan/planner.c
*************** inheritance_planner(PlannerInfo *root)
*** 916,921 ****
--- 916,927 ----
  		subplan = grouping_planner(&subroot, 0.0 /* retrieve all tuples */ );
  
  		/*
+ 		 * Planning may have modified the query result relation (if there
+ 		 * were security barrier quals on the result RTE).
+ 		 */
+ 		appinfo->child_relid = subroot.parse->resultRelation;
+ 
+ 		/*
  		 * If this child rel was excluded by constraint exclusion, exclude it
  		 * from the result plan.
  		 */
*************** inheritance_planner(PlannerInfo *root)
*** 932,940 ****
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 			final_rtable = list_concat(final_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
--- 938,969 ----
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 		{
! 			List	   *tmp_rtable = NIL;
! 			ListCell   *cell1, *cell2;
! 
! 			/*
! 			 * Planning this new child may have turned some of the original
! 			 * RTEs into subqueries (if they had security barrier quals). If
! 			 * so, we want to use these in the final rtable.
! 			 */
! 			forboth(cell1, final_rtable, cell2, subroot.parse->rtable)
! 			{
! 				RangeTblEntry *rte1 = (RangeTblEntry *) lfirst(cell1);
! 				RangeTblEntry *rte2 = (RangeTblEntry *) lfirst(cell2);
! 
! 				if (rte1->rtekind == RTE_RELATION &&
! 					rte1->securityQuals != NIL &&
! 					rte2->rtekind == RTE_SUBQUERY)
! 					tmp_rtable = lappend(tmp_rtable, rte2);
! 				else
! 					tmp_rtable = lappend(tmp_rtable, rte1);
! 			}
! 
! 			final_rtable = list_concat(tmp_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
+ 		}
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
*************** grouping_planner(PlannerInfo *root, doub
*** 1163,1168 ****
--- 1192,1203 ----
  		tlist = preprocess_targetlist(root, tlist);
  
  		/*
+ 		 * Expand any rangetable entries that have security barrier quals.
+ 		 * This may add new security barrier subquery RTEs to the rangetable.
+ 		 */
+ 		expand_security_quals(root, tlist);
+ 
+ 		/*
  		 * Locate any window functions in the tlist.  (We don't need to look
  		 * anywhere else, since expressions used in ORDER BY will be in there
  		 * too.)  Note that they could all have been eliminated by constant
diff --git a/src/backend/optimizer/prep/Makefile b/src/backend/optimizer/prep/Makefile
new file mode 100644
index 86301bf..5195d9b
*** a/src/backend/optimizer/prep/Makefile
--- b/src/backend/optimizer/prep/Makefile
*************** subdir = src/backend/optimizer/prep
*** 12,17 ****
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
--- 12,17 ----
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o prepsecurity.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
new file mode 100644
index ...e7a3f56
*** a/src/backend/optimizer/prep/prepsecurity.c
--- b/src/backend/optimizer/prep/prepsecurity.c
***************
*** 0 ****
--- 1,423 ----
+ /*-------------------------------------------------------------------------
+  *
+  * prepsecurity.c
+  *	  Routines for preprocessing security barrier quals.
+  *
+  * Portions Copyright (c) 1996-2013, PostgreSQL Global Development Group
+  * Portions Copyright (c) 1994, Regents of the University of California
+  *
+  *
+  * IDENTIFICATION
+  *	  src/backend/optimizer/prep/prepsecurity.c
+  *
+  *-------------------------------------------------------------------------
+  */
+ #include "postgres.h"
+ 
+ #include "access/heapam.h"
+ #include "access/sysattr.h"
+ #include "catalog/heap.h"
+ #include "nodes/makefuncs.h"
+ #include "nodes/nodeFuncs.h"
+ #include "optimizer/prep.h"
+ #include "parser/parsetree.h"
+ #include "rewrite/rewriteManip.h"
+ #include "utils/rel.h"
+ 
+ 
+ typedef struct
+ {
+ 	int			rt_index;		/* Index of security barrier RTE */
+ 	int			sublevels_up;	/* Current nesting depth */
+ 	Relation	rel;			/* RTE relation at rt_index */
+ 	List	   *targetlist;		/* Targetlist for new subquery RTE */
+ 	List	   *colnames;		/* Column names in subquery RTE */
+ 	List	   *vars_processed;	/* List of Vars already processed */
+ } security_barrier_replace_vars_context;
+ 
+ static void expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual);
+ 
+ static void security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context);
+ 
+ static bool security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context);
+ 
+ 
+ /*
+  * expand_security_quals -
+  *	  expands any security barrier quals on RTEs in the query rtable, turning
+  *	  them into security barrier subqueries.
+  *
+  * Any given RTE may have multiple security barrier quals in a list, from which
+  * we create a set of nested subqueries to isolate each security barrier from
+  * the others, providing protection against malicious user-defined security
+  * barriers.  The first security barrier qual in the list will be used in the
+  * innermost subquery.
+  */
+ void
+ expand_security_quals(PlannerInfo *root, List *tlist)
+ {
+ 	Query	   *parse = root->parse;
+ 	int			rt_index;
+ 
+ 	/*
+ 	 * Process each RTE in the rtable list.
+ 	 *
+ 	 * Note that this is deliberately not a foreach loop, since the rtable may
+ 	 * be modified each time through the loop.
+ 	 */
+ 	rt_index = 0;
+ 	while (rt_index < list_length(parse->rtable))
+ 	{
+ 		RangeTblEntry *rte;
+ 
+ 		rt_index++;
+ 		rte = rt_fetch(rt_index, parse->rtable);
+ 
+ 		if (rte->securityQuals == NIL)
+ 			continue;
+ 
+ 		/*
+ 		 * Ignore any RTEs that aren't used in the query (such RTEs may be
+ 		 * present for permissions checks).
+ 		 */
+ 		if (rt_index != parse->resultRelation &&
+ 			!rangeTableEntry_used((Node *) parse, rt_index, 0))
+ 			continue;
+ 
+ 		/*
+ 		 * If this RTE is the target then we need to make a copy of it before
+ 		 * expanding it.  The unexpanded copy will become the new target, and
+ 		 * the original RTE will be expanded to become the source of rows to
+ 		 * update/delete.
+ 		 */
+ 		if (rt_index == parse->resultRelation)
+ 		{
+ 			RangeTblEntry *newrte = copyObject(rte);
+ 			parse->rtable = lappend(parse->rtable, newrte);
+ 			parse->resultRelation = list_length(parse->rtable);
+ 
+ 			/*
+ 			 * Wipe out any copied security barrier quals on the new target to
+ 			 * prevent infinite recursion.
+ 			 */
+ 			newrte->securityQuals = NIL;
+ 
+ 			/*
+ 			 * There's no need to do permissions checks twice, so wipe out the
+ 			 * permissions info for the original RTE (we prefer to keep the
+ 			 * bits set on the result RTE).
+ 			 */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * For the most part, Vars referencing the original relation should
+ 			 * remain as they are, meaning that they pull OLD values from the
+ 			 * expanded RTE.  But in the RETURNING list and in any WITH CHECK
+ 			 * OPTION quals, we want such Vars to represent NEW values, so
+ 			 * change them to reference the new RTE.
+ 			 */
+ 			ChangeVarNodes((Node *) parse->returningList, rt_index,
+ 						   parse->resultRelation, 0);
+ 
+ 			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
+ 						   parse->resultRelation, 0);
+ 		}
+ 
+ 		/*
+ 		 * Process each security barrier qual in turn, starting with the
+ 		 * innermost one (the first in the list) and working outwards.
+ 		 *
+ 		 * We remove each qual from the list before processing it, so that its
+ 		 * variables aren't modified by expand_security_qual.  Also we don't
+ 		 * necessarily want the attributes referred to by the qual to be
+ 		 * exposed by the newly built subquery.
+ 		 */
+ 		while (rte->securityQuals != NIL)
+ 		{
+ 			Node   *qual = (Node *) linitial(rte->securityQuals);
+ 			rte->securityQuals = list_delete_first(rte->securityQuals);
+ 
+ 			ChangeVarNodes(qual, rt_index, 1, 0);
+ 			expand_security_qual(parse, tlist, rt_index, qual);
+ 		}
+ 	}
+ }
+ 
+ 
+ /*
+  * expand_security_qual -
+  *	  expand the specified security barrier qual on a query RTE, turning the
+  *	  RTE into a security barrier subquery.
+  */
+ static void
+ expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual)
+ {
+ 	RangeTblEntry  *rte;
+ 	Oid				relid;
+ 	Query		   *subquery;
+ 	RangeTblEntry  *subrte;
+ 	RangeTblRef	   *subrtr;
+ 	security_barrier_replace_vars_context context;
+ 	ListCell	   *cell;
+ 
+ 	rte = rt_fetch(rt_index, parse->rtable);
+ 	relid = rte->relid;
+ 
+ 	/*
+ 	 * There should only be 2 possible cases:
+ 	 *
+ 	 * 1. A relation RTE, which we turn into a subquery RTE containing all
+ 	 * referenced columns.
+ 	 *
+ 	 * 2. A subquery RTE (either from a prior call to this function or from an
+ 	 * expanded view).  In this case we build a new subquery on top of it to
+ 	 * isolate this security barrier qual from any other quals.
+ 	 */
+ 	switch (rte->rtekind)
+ 	{
+ 		case RTE_RELATION:
+ 			/*
+ 			 * Turn the relation RTE into a security barrier subquery RTE,
+ 			 * moving all permissions checks down into the subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 
+ 			subrte = copyObject(rte);
+ 			subrte->inFromCl = true;
+ 			subrte->securityQuals = NIL;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->rtekind = RTE_SUBQUERY;
+ 			rte->relid = InvalidOid;
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 			rte->inh = false;			/* must not be set for a subquery */
+ 
+ 			/* the permissions checks have now been moved down */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * Replace any variables in the outer query that refer to the
+ 			 * original relation RTE with references to columns that we will
+ 			 * expose in the new subquery, building the subquery's targetlist
+ 			 * as we go.
+ 			 */
+ 			context.rt_index = rt_index;
+ 			context.sublevels_up = 0;
+ 			context.rel = heap_open(relid, NoLock);
+ 			context.targetlist = NIL;
+ 			context.colnames = NIL;
+ 			context.vars_processed = NIL;
+ 
+ 			security_barrier_replace_vars((Node *) parse, &context);
+ 			security_barrier_replace_vars((Node *) tlist, &context);
+ 
+ 			heap_close(context.rel, NoLock);
+ 
+ 			/* Now we know what columns the subquery needs to expose */
+ 			rte->subquery->targetList = context.targetlist;
+ 			rte->eref = makeAlias(rte->eref->aliasname, context.colnames);
+ 
+ 			break;
+ 
+ 		case RTE_SUBQUERY:
+ 			/*
+ 			 * Build a new subquery that includes all the same columns as the
+ 			 * original subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 			subquery->targetList = NIL;
+ 
+ 			foreach(cell, rte->subquery->targetList)
+ 			{
+ 				TargetEntry	   *tle;
+ 				Var			   *var;
+ 
+ 				tle = (TargetEntry *) lfirst(cell);
+ 				var = makeVarFromTargetEntry(1, tle);
+ 
+ 				tle = makeTargetEntry((Expr *) var,
+ 									  list_length(subquery->targetList) + 1,
+ 									  pstrdup(tle->resname),
+ 									  tle->resjunk);
+ 				subquery->targetList = lappend(subquery->targetList, tle);
+ 			}
+ 
+ 			subrte = makeNode(RangeTblEntry);
+ 			subrte->rtekind = RTE_SUBQUERY;
+ 			subrte->subquery = rte->subquery;
+ 			subrte->security_barrier = rte->security_barrier;
+ 			subrte->eref = copyObject(rte->eref);
+ 			subrte->inFromCl = true;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 
+ 			break;
+ 
+ 		default:
+ 			elog(ERROR, "invalid range table entry for security barrier qual");
+ 	}
+ }
+ 
+ 
+ /*
+  * security_barrier_replace_vars -
+  *	  Apply security barrier variable replacement to an expression tree.
+  *
+  * This also builds/updates a targetlist with entries for each replacement
+  * variable that needs to be exposed by the security barrier subquery RTE.
+  *
+  * NOTE: although this has the form of a walker, we cheat and modify the
+  * nodes in-place.	The given expression tree should have been copied
+  * earlier to ensure that no unwanted side-effects occur!
+  */
+ static void
+ security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context)
+ {
+ 	/*
+ 	 * Must be prepared to start with a Query or a bare expression tree; if
+ 	 * it's a Query, go straight to query_tree_walker to make sure that
+ 	 * sublevels_up doesn't get incremented prematurely.
+ 	 */
+ 	if (node && IsA(node, Query))
+ 		query_tree_walker((Query *) node,
+ 						  security_barrier_replace_vars_walker,
+ 						  (void *) context, 0);
+ 	else
+ 		security_barrier_replace_vars_walker(node, context);
+ }
+ 
+ static bool
+ security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context)
+ {
+ 	if (node == NULL)
+ 		return false;
+ 	if (IsA(node, Var))
+ 	{
+ 		Var		   *var = (Var *) node;
+ 
+ 		/*
+ 		 * Note that the same Var may be present in different lists, so we
+ 		 * need to take care not to process it multiple times.
+ 		 */
+ 		if (var->varno == context->rt_index &&
+ 			var->varlevelsup == context->sublevels_up &&
+ 			!list_member_ptr(context->vars_processed, var))
+ 		{
+ 			/*
+ 			 * Found a matching variable. Make sure that it is in the subquery
+ 			 * targetlist and map its attno accordingly.
+ 			 */
+ 			AttrNumber	attno;
+ 			ListCell   *l;
+ 			TargetEntry *tle;
+ 			char	   *attname;
+ 			Var		   *newvar;
+ 
+ 			/* Search for the base attribute in the subquery targetlist */
+ 			attno = InvalidAttrNumber;
+ 			foreach(l, context->targetlist)
+ 			{
+ 				tle = (TargetEntry *) lfirst(l);
+ 				attno++;
+ 
+ 				Assert(IsA(tle->expr, Var));
+ 				if (((Var *) tle->expr)->varattno == var->varattno &&
+ 					((Var *) tle->expr)->varcollid == var->varcollid)
+ 				{
+ 					/* Map the variable onto this subquery targetlist entry */
+ 					var->varattno = attno;
+ 					return false;
+ 				}
+ 			}
+ 
+ 			/* Not in the subquery targetlist, so add it. Get its name. */
+ 			if (var->varattno < 0)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = SystemAttributeDefinition(var->varattno,
+ 													context->rel->rd_rel->relhasoids);
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else if (var->varattno == InvalidAttrNumber)
+ 			{
+ 				attname = "wholerow";
+ 			}
+ 			else if (var->varattno <= context->rel->rd_att->natts)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = context->rel->rd_att->attrs[var->varattno - 1];
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else
+ 			{
+ 				elog(ERROR, "invalid attribute number %d in security_barrier_replace_vars", var->varattno);
+ 			}
+ 
+ 			/* New variable for subquery targetlist */
+ 			newvar = copyObject(var);
+ 			newvar->varno = 1;
+ 
+ 			attno = list_length(context->targetlist) + 1;
+ 			tle = makeTargetEntry((Expr *) newvar,
+ 								  attno,
+ 								  pstrdup(attname),
+ 								  false);
+ 
+ 			context->targetlist = lappend(context->targetlist, tle);
+ 
+ 			context->colnames = lappend(context->colnames,
+ 										makeString(pstrdup(attname)));
+ 
+ 			/* Update the outer query's variable */
+ 			var->varattno = attno;
+ 
+ 			/* Remember this Var so that we don't process it again */
+ 			context->vars_processed = lappend(context->vars_processed, var);
+ 		}
+ 		return false;
+ 	}
+ 
+ 	if (IsA(node, Query))
+ 	{
+ 		/* Recurse into subselects */
+ 		bool		result;
+ 
+ 		context->sublevels_up++;
+ 		result = query_tree_walker((Query *) node,
+ 								   security_barrier_replace_vars_walker,
+ 								   (void *) context, 0);
+ 		context->sublevels_up--;
+ 		return result;
+ 	}
+ 	return expression_tree_walker(node, security_barrier_replace_vars_walker,
+ 								  (void *) context);
+ }
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
new file mode 100644
index 50cb753..8474cae
*** a/src/backend/rewrite/rewriteHandler.c
--- b/src/backend/rewrite/rewriteHandler.c
*************** view_col_is_auto_updatable(RangeTblRef *
*** 1973,1980 ****
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
! 							 bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
--- 1973,1979 ----
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
*************** view_query_is_auto_updatable(Query *view
*** 2048,2061 ****
  		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
  
  	/*
- 	 * For now, we also don't support security-barrier views, because of the
- 	 * difficulty of keeping upper-level qual expressions away from
- 	 * lower-level data.  This might get relaxed in the future.
- 	 */
- 	if (security_barrier)
- 		return gettext_noop("Security-barrier views are not automatically updatable.");
- 
- 	/*
  	 * The view query should select from a single base relation, which must be
  	 * a table or another view.
  	 */
--- 2047,2052 ----
*************** relation_is_updatable(Oid reloid,
*** 2303,2311 ****
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery,
! 										 RelationIsSecurityView(rel),
! 										 false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
--- 2294,2300 ----
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery, false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
*************** rewriteTargetView(Query *parsetree, Rela
*** 2460,2466 ****
  
  	auto_update_detail =
  		view_query_is_auto_updatable(viewquery,
- 									 RelationIsSecurityView(view),
  									 parsetree->commandType != CMD_DELETE);
  
  	if (auto_update_detail)
--- 2449,2454 ----
*************** rewriteTargetView(Query *parsetree, Rela
*** 2664,2669 ****
--- 2652,2665 ----
  												   view_targetlist);
  
  	/*
+ 	 * Move any security barrier quals from the view RTE onto the new target
+ 	 * RTE.  Any such quals should now apply to the new target RTE and will not
+ 	 * reference the original view RTE in the rewritten query.
+ 	 */
+ 	new_rte->securityQuals = view_rte->securityQuals;
+ 	view_rte->securityQuals = NIL;
+ 
+ 	/*
  	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
  	 * TLE for the view to the end of the targetlist, which we no longer need.
  	 * Remove it to avoid unnecessary work when we process the targetlist.
*************** rewriteTargetView(Query *parsetree, Rela
*** 2743,2748 ****
--- 2739,2748 ----
  	 * only adjust their varnos to reference the new target (just the same as
  	 * we did with the view targetlist).
  	 *
+ 	 * Note that there is special-case handling for the quals of a security
+ 	 * barrier view, since they need to be kept separate from any user-supplied
+ 	 * quals, so these quals are kept on the new target RTE.
+ 	 *
  	 * For INSERT, the view's quals can be ignored in the main query.
  	 */
  	if (parsetree->commandType != CMD_INSERT &&
*************** rewriteTargetView(Query *parsetree, Rela
*** 2751,2757 ****
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 		AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
--- 2751,2768 ----
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 
! 		if (RelationIsSecurityView(view))
! 		{
! 			/*
! 			 * Note: the parsetree has been mutated, so the new_rte pointer is
! 			 * stale and needs to be re-computed.
! 			 */
! 			new_rte = rt_fetch(new_rt_index, parsetree->rtable);
! 			new_rte->securityQuals = lcons(viewqual, new_rte->securityQuals);
! 		}
! 		else
! 			AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
*************** rewriteTargetView(Query *parsetree, Rela
*** 2812,2824 ****
  				/*
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
! 				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added to the
! 				 * query's WHERE clause, and AddQual will have already done
! 				 * this check.
  				 */
  				if (!parsetree->hasSubLinks &&
! 					parsetree->commandType != CMD_UPDATE)
  					parsetree->hasSubLinks = checkExprHasSubLink(wco->qual);
  			}
  		}
--- 2823,2836 ----
  				/*
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
! 				 * already marked, or if the command is an UPDATE to a
! 				 * non-security-barrier view, in which case the same qual will
! 				 * have already been added to the query's WHERE clause, and
! 				 * AddQual will have already done this check.
  				 */
  				if (!parsetree->hasSubLinks &&
! 					(parsetree->commandType != CMD_UPDATE ||
! 					 RelationIsSecurityView(view)))
  					parsetree->hasSubLinks = checkExprHasSubLink(wco->qual);
  			}
  		}
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
new file mode 100644
index e89d930..36c5c98
*** a/src/include/nodes/parsenodes.h
--- b/src/include/nodes/parsenodes.h
*************** typedef struct RangeTblEntry
*** 801,806 ****
--- 801,807 ----
  	Oid			checkAsUser;	/* if valid, check access as this role */
  	Bitmapset  *selectedCols;	/* columns needing SELECT permission */
  	Bitmapset  *modifiedCols;	/* columns needing INSERT/UPDATE permission */
+ 	List	   *securityQuals;	/* any security barrier quals to apply */
  } RangeTblEntry;
  
  /*
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
new file mode 100644
index 0934e63..e9d865d
*** a/src/include/optimizer/prep.h
--- b/src/include/optimizer/prep.h
*************** extern Node *negate_clause(Node *node);
*** 36,41 ****
--- 36,46 ----
  extern Expr *canonicalize_qual(Expr *qual);
  
  /*
+  * prototypes for prepsecurity.c
+  */
+ extern void expand_security_quals(PlannerInfo *root, List *tlist);
+ 
+ /*
   * prototypes for preptlist.c
   */
  extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
new file mode 100644
index c959590..ce56d7b
*** a/src/include/rewrite/rewriteHandler.h
--- b/src/include/rewrite/rewriteHandler.h
*************** extern void AcquireRewriteLocks(Query *p
*** 23,29 ****
  extern Node *build_column_default(Relation rel, int attrno);
  extern Query *get_view_query(Relation view);
  extern const char *view_query_is_auto_updatable(Query *viewquery,
- 										 bool security_barrier,
  										 bool check_cols);
  extern int	relation_is_updatable(Oid reloid,
  						  bool include_triggers,
--- 23,28 ----
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
new file mode 100644
index 91d1639..f6db582
*** a/src/test/regress/expected/create_view.out
--- b/src/test/regress/expected/create_view.out
*************** CREATE VIEW mysecview4 WITH (security_ba
*** 252,258 ****
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  security_barrier requires a Boolean value
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
--- 252,258 ----
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  invalid value for boolean option "security_barrier": 100
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
new file mode 100644
index 99c9165..d12d384
*** a/src/test/regress/expected/updatable_views.out
--- b/src/test/regress/expected/updatable_views.out
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 22,33 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
--- 22,31 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
*************** SELECT table_name, is_insertable_into
*** 44,50 ****
   ro_view19  | NO
   ro_view2   | NO
   ro_view20  | NO
-  ro_view21  | NO
   ro_view3   | NO
   ro_view4   | NO
   ro_view5   | NO
--- 42,47 ----
*************** SELECT table_name, is_insertable_into
*** 55,61 ****
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (21 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
--- 52,58 ----
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (20 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
*************** SELECT table_name, is_updatable, is_inse
*** 73,79 ****
   ro_view19  | NO           | NO
   ro_view2   | NO           | NO
   ro_view20  | NO           | NO
-  ro_view21  | NO           | NO
   ro_view3   | NO           | NO
   ro_view4   | NO           | NO
   ro_view5   | NO           | NO
--- 70,75 ----
*************** SELECT table_name, is_updatable, is_inse
*** 84,90 ****
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (21 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
--- 80,86 ----
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (20 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
*************** SELECT table_name, column_name, is_updat
*** 103,125 ****
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view18  | b             | NO
!  ro_view19  | a             | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | sequence_name | NO
!  ro_view20  | last_value    | NO
!  ro_view20  | start_value   | NO
!  ro_view20  | increment_by  | NO
!  ro_view20  | max_value     | NO
!  ro_view20  | min_value     | NO
!  ro_view20  | cache_value   | NO
!  ro_view20  | log_cnt       | NO
!  ro_view20  | is_cycled     | NO
!  ro_view20  | is_called     | NO
!  ro_view21  | a             | NO
!  ro_view21  | b             | NO
!  ro_view21  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
--- 99,119 ----
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view19  | sequence_name | NO
!  ro_view19  | last_value    | NO
!  ro_view19  | start_value   | NO
!  ro_view19  | increment_by  | NO
!  ro_view19  | max_value     | NO
!  ro_view19  | min_value     | NO
!  ro_view19  | cache_value   | NO
!  ro_view19  | log_cnt       | NO
!  ro_view19  | is_cycled     | NO
!  ro_view19  | is_called     | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | a             | NO
!  ro_view20  | b             | NO
!  ro_view20  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
*************** SELECT table_name, column_name, is_updat
*** 140,146 ****
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (48 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
--- 134,140 ----
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (46 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
*************** INSERT INTO ro_view17 VALUES (3, 'ROW 3'
*** 268,291 ****
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! ERROR:  cannot insert into view "ro_view18"
! DETAIL:  Security-barrier views are not automatically updatable.
! HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view19;
! ERROR:  cannot delete from view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view20 SET max_value=1000;
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view21 SET b=upper(b);
! ERROR:  cannot update view "ro_view21"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 17 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
--- 262,281 ----
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view18;
! ERROR:  cannot delete from view "ro_view18"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view19 SET max_value=1000;
! ERROR:  cannot update view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view20 SET b=upper(b);
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 16 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
*************** drop cascades to view ro_view11
*** 299,311 ****
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view18
! drop cascades to view ro_view21
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view20
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
--- 289,300 ----
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view20
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view19
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
*************** INSERT INTO rw_view2 VALUES (2,3); -- ok
*** 1739,1742 ****
--- 1728,1923 ----
  DROP TABLE base_tbl CASCADE;
  NOTICE:  drop cascades to 2 other objects
  DETAIL:  drop cascades to view rw_view1
+ drop cascades to view rw_view2
+ -- security barrier view
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view1   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view1   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view1   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+                   QUERY PLAN                   
+ -----------------------------------------------
+  Subquery Scan on rw_view1
+    Filter: snoop(rw_view1.person)
+    ->  Seq Scan on base_tbl
+          Filter: (visibility = 'public'::text)
+ (4 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ -- security barrier view on top of security barrier view
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view2   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view2   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view2   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Subquery Scan on rw_view2
+    Filter: snoop(rw_view2.person)
+    ->  Subquery Scan on rw_view1
+          Filter: snoop(rw_view1.person)
+          ->  Seq Scan on base_tbl
+                Filter: (visibility = 'public'::text)
+ (6 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to 2 other objects
+ DETAIL:  drop cascades to view rw_view1
  drop cascades to view rw_view2
diff --git a/src/test/regress/sql/updatable_views.sql b/src/test/regress/sql/updatable_views.sql
new file mode 100644
index a77cf19..6b352c1
*** a/src/test/regress/sql/updatable_views.sql
--- b/src/test/regress/sql/updatable_views.sql
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 25,36 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
--- 25,34 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
*************** SELECT * FROM base_tbl;
*** 87,99 ****
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! DELETE FROM ro_view19;
! UPDATE ro_view20 SET max_value=1000;
! UPDATE ro_view21 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
--- 85,96 ----
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! DELETE FROM ro_view18;
! UPDATE ro_view19 SET max_value=1000;
! UPDATE ro_view20 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
*************** CREATE VIEW rw_view2 AS
*** 828,830 ****
--- 825,902 ----
    SELECT * FROM rw_view1 WHERE a > b WITH LOCAL CHECK OPTION;
  INSERT INTO rw_view2 VALUES (2,3); -- ok, but not in view (doesn't fail rw_view2's check)
  DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view
+ 
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ 
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ 
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ -- security barrier view on top of security barrier view
+ 
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ DROP TABLE base_tbl CASCADE;

diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml
new file mode 100644
index e0fbe1e..888410f
*** a/doc/src/sgml/ref/create_view.sgml
--- b/doc/src/sgml/ref/create_view.sgml
*************** CREATE VIEW vista AS SELECT text 'Hello
*** 323,334 ****
         or set-returning functions.
        </para>
       </listitem>
- 
-      <listitem>
-       <para>
-        The view must not have the <literal>security_barrier</> property.
-       </para>
-      </listitem>
      </itemizedlist>
     </para>
  
--- 323,328 ----
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
new file mode 100644
index b9cd88d..a984c03
*** a/src/backend/commands/tablecmds.c
--- b/src/backend/commands/tablecmds.c
*************** ATExecSetRelOptions(Relation rel, List *
*** 8806,8812 ****
  		List	   *view_options = untransformRelOptions(newOptions);
  		ListCell   *cell;
  		bool		check_option = false;
- 		bool		security_barrier = false;
  
  		foreach(cell, view_options)
  		{
--- 8806,8811 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8814,8821 ****
  
  			if (pg_strcasecmp(defel->defname, "check_option") == 0)
  				check_option = true;
- 			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 				security_barrier = defGetBoolean(defel);
  		}
  
  		/*
--- 8813,8818 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8825,8832 ****
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query,
! 											 security_barrier, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
--- 8822,8828 ----
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
new file mode 100644
index 0703c05..8a43aa4
*** a/src/backend/commands/view.c
--- b/src/backend/commands/view.c
*************** DefineView(ViewStmt *stmt, const char *q
*** 396,402 ****
  	RangeVar   *view;
  	ListCell   *cell;
  	bool		check_option;
- 	bool		security_barrier;
  
  	/*
  	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
--- 396,401 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 451,457 ****
  	 * specified.
  	 */
  	check_option = false;
- 	security_barrier = false;
  
  	foreach(cell, stmt->options)
  	{
--- 450,455 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 459,466 ****
  
  		if (pg_strcasecmp(defel->defname, "check_option") == 0)
  			check_option = true;
- 		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 			security_barrier = defGetBoolean(defel);
  	}
  
  	/*
--- 457,462 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 470,476 ****
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, security_barrier, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
--- 466,472 ----
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
new file mode 100644
index e4184c5..255ade9
*** a/src/backend/nodes/copyfuncs.c
--- b/src/backend/nodes/copyfuncs.c
*************** _copyRangeTblEntry(const RangeTblEntry *
*** 1998,2003 ****
--- 1998,2004 ----
  	COPY_SCALAR_FIELD(checkAsUser);
  	COPY_BITMAPSET_FIELD(selectedCols);
  	COPY_BITMAPSET_FIELD(modifiedCols);
+ 	COPY_NODE_FIELD(securityQuals);
  
  	return newnode;
  }
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
new file mode 100644
index 0cdb947..cab71ac
*** a/src/backend/nodes/equalfuncs.c
--- b/src/backend/nodes/equalfuncs.c
*************** _equalRangeTblEntry(const RangeTblEntry
*** 2278,2283 ****
--- 2278,2284 ----
  	COMPARE_SCALAR_FIELD(checkAsUser);
  	COMPARE_BITMAPSET_FIELD(selectedCols);
  	COMPARE_BITMAPSET_FIELD(modifiedCols);
+ 	COMPARE_NODE_FIELD(securityQuals);
  
  	return true;
  }
diff --git a/src/backend/nodes/nodeFuncs.c b/src/backend/nodes/nodeFuncs.c
new file mode 100644
index 17626f9..9bb62ba
*** a/src/backend/nodes/nodeFuncs.c
--- b/src/backend/nodes/nodeFuncs.c
*************** range_table_walker(List *rtable,
*** 2020,2025 ****
--- 2020,2028 ----
  					return true;
  				break;
  		}
+ 
+ 		if (walker(rte->securityQuals, context))
+ 			return true;
  	}
  	return false;
  }
*************** range_table_mutator(List *rtable,
*** 2755,2760 ****
--- 2758,2764 ----
  				MUTATE(newrte->values_lists, rte->values_lists, List *);
  				break;
  		}
+ 		MUTATE(newrte->securityQuals, rte->securityQuals, List *);
  		newrt = lappend(newrt, newrte);
  	}
  	return newrt;
diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c
new file mode 100644
index 4f63906..43502b0
*** a/src/backend/nodes/outfuncs.c
--- b/src/backend/nodes/outfuncs.c
*************** _outRangeTblEntry(StringInfo str, const
*** 2409,2414 ****
--- 2409,2415 ----
  	WRITE_OID_FIELD(checkAsUser);
  	WRITE_BITMAPSET_FIELD(selectedCols);
  	WRITE_BITMAPSET_FIELD(modifiedCols);
+ 	WRITE_NODE_FIELD(securityQuals);
  }
  
  static void
diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c
new file mode 100644
index aba6d4e..941c038
*** a/src/backend/nodes/readfuncs.c
--- b/src/backend/nodes/readfuncs.c
*************** _readRangeTblEntry(void)
*** 1250,1255 ****
--- 1250,1256 ----
  	READ_OID_FIELD(checkAsUser);
  	READ_BITMAPSET_FIELD(selectedCols);
  	READ_BITMAPSET_FIELD(modifiedCols);
+ 	READ_NODE_FIELD(securityQuals);
  
  	READ_DONE();
  }
diff --git a/src/backend/optimizer/plan/planner.c b/src/backend/optimizer/plan/planner.c
new file mode 100644
index 1da4b2f..93097b0
*** a/src/backend/optimizer/plan/planner.c
--- b/src/backend/optimizer/plan/planner.c
*************** inheritance_planner(PlannerInfo *root)
*** 916,921 ****
--- 916,927 ----
  		subplan = grouping_planner(&subroot, 0.0 /* retrieve all tuples */ );
  
  		/*
+ 		 * Planning may have modified the query result relation (if there
+ 		 * were security barrier quals on the result RTE).
+ 		 */
+ 		appinfo->child_relid = subroot.parse->resultRelation;
+ 
+ 		/*
  		 * If this child rel was excluded by constraint exclusion, exclude it
  		 * from the result plan.
  		 */
*************** inheritance_planner(PlannerInfo *root)
*** 932,940 ****
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 			final_rtable = list_concat(final_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
--- 938,969 ----
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 		{
! 			List	   *tmp_rtable = NIL;
! 			ListCell   *cell1, *cell2;
! 
! 			/*
! 			 * Planning this new child may have turned some of the original
! 			 * RTEs into subqueries (if they had security barrier quals). If
! 			 * so, we want to use these in the final rtable.
! 			 */
! 			forboth(cell1, final_rtable, cell2, subroot.parse->rtable)
! 			{
! 				RangeTblEntry *rte1 = (RangeTblEntry *) lfirst(cell1);
! 				RangeTblEntry *rte2 = (RangeTblEntry *) lfirst(cell2);
! 
! 				if (rte1->rtekind == RTE_RELATION &&
! 					rte1->securityQuals != NIL &&
! 					rte2->rtekind == RTE_SUBQUERY)
! 					tmp_rtable = lappend(tmp_rtable, rte2);
! 				else
! 					tmp_rtable = lappend(tmp_rtable, rte1);
! 			}
! 
! 			final_rtable = list_concat(tmp_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
+ 		}
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
*************** grouping_planner(PlannerInfo *root, doub
*** 1163,1168 ****
--- 1192,1203 ----
  		tlist = preprocess_targetlist(root, tlist);
  
  		/*
+ 		 * Expand any rangetable entries that have security barrier quals.
+ 		 * This may add new security barrier subquery RTEs to the rangetable.
+ 		 */
+ 		expand_security_quals(root, tlist);
+ 
+ 		/*
  		 * Locate any window functions in the tlist.  (We don't need to look
  		 * anywhere else, since expressions used in ORDER BY will be in there
  		 * too.)  Note that they could all have been eliminated by constant
diff --git a/src/backend/optimizer/prep/Makefile b/src/backend/optimizer/prep/Makefile
new file mode 100644
index 86301bf..5195d9b
*** a/src/backend/optimizer/prep/Makefile
--- b/src/backend/optimizer/prep/Makefile
*************** subdir = src/backend/optimizer/prep
*** 12,17 ****
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
--- 12,17 ----
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o prepsecurity.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
new file mode 100644
index ...e7a3f56
*** a/src/backend/optimizer/prep/prepsecurity.c
--- b/src/backend/optimizer/prep/prepsecurity.c
***************
*** 0 ****
--- 1,423 ----
+ /*-------------------------------------------------------------------------
+  *
+  * prepsecurity.c
+  *	  Routines for preprocessing security barrier quals.
+  *
+  * Portions Copyright (c) 1996-2013, PostgreSQL Global Development Group
+  * Portions Copyright (c) 1994, Regents of the University of California
+  *
+  *
+  * IDENTIFICATION
+  *	  src/backend/optimizer/prep/prepsecurity.c
+  *
+  *-------------------------------------------------------------------------
+  */
+ #include "postgres.h"
+ 
+ #include "access/heapam.h"
+ #include "access/sysattr.h"
+ #include "catalog/heap.h"
+ #include "nodes/makefuncs.h"
+ #include "nodes/nodeFuncs.h"
+ #include "optimizer/prep.h"
+ #include "parser/parsetree.h"
+ #include "rewrite/rewriteManip.h"
+ #include "utils/rel.h"
+ 
+ 
+ typedef struct
+ {
+ 	int			rt_index;		/* Index of security barrier RTE */
+ 	int			sublevels_up;	/* Current nesting depth */
+ 	Relation	rel;			/* RTE relation at rt_index */
+ 	List	   *targetlist;		/* Targetlist for new subquery RTE */
+ 	List	   *colnames;		/* Column names in subquery RTE */
+ 	List	   *vars_processed;	/* List of Vars already processed */
+ } security_barrier_replace_vars_context;
+ 
+ static void expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual);
+ 
+ static void security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context);
+ 
+ static bool security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context);
+ 
+ 
+ /*
+  * expand_security_quals -
+  *	  expands any security barrier quals on RTEs in the query rtable, turning
+  *	  them into security barrier subqueries.
+  *
+  * Any given RTE may have multiple security barrier quals in a list, from which
+  * we create a set of nested subqueries to isolate each security barrier from
+  * the others, providing protection against malicious user-defined security
+  * barriers.  The first security barrier qual in the list will be used in the
+  * innermost subquery.
+  */
+ void
+ expand_security_quals(PlannerInfo *root, List *tlist)
+ {
+ 	Query	   *parse = root->parse;
+ 	int			rt_index;
+ 
+ 	/*
+ 	 * Process each RTE in the rtable list.
+ 	 *
+ 	 * Note that this is deliberately not a foreach loop, since the rtable may
+ 	 * be modified each time through the loop.
+ 	 */
+ 	rt_index = 0;
+ 	while (rt_index < list_length(parse->rtable))
+ 	{
+ 		RangeTblEntry *rte;
+ 
+ 		rt_index++;
+ 		rte = rt_fetch(rt_index, parse->rtable);
+ 
+ 		if (rte->securityQuals == NIL)
+ 			continue;
+ 
+ 		/*
+ 		 * Ignore any RTEs that aren't used in the query (such RTEs may be
+ 		 * present for permissions checks).
+ 		 */
+ 		if (rt_index != parse->resultRelation &&
+ 			!rangeTableEntry_used((Node *) parse, rt_index, 0))
+ 			continue;
+ 
+ 		/*
+ 		 * If this RTE is the target then we need to make a copy of it before
+ 		 * expanding it.  The unexpanded copy will become the new target, and
+ 		 * the original RTE will be expanded to become the source of rows to
+ 		 * update/delete.
+ 		 */
+ 		if (rt_index == parse->resultRelation)
+ 		{
+ 			RangeTblEntry *newrte = copyObject(rte);
+ 			parse->rtable = lappend(parse->rtable, newrte);
+ 			parse->resultRelation = list_length(parse->rtable);
+ 
+ 			/*
+ 			 * Wipe out any copied security barrier quals on the new target to
+ 			 * prevent infinite recursion.
+ 			 */
+ 			newrte->securityQuals = NIL;
+ 
+ 			/*
+ 			 * There's no need to do permissions checks twice, so wipe out the
+ 			 * permissions info for the original RTE (we prefer to keep the
+ 			 * bits set on the result RTE).
+ 			 */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * For the most part, Vars referencing the original relation should
+ 			 * remain as they are, meaning that they pull OLD values from the
+ 			 * expanded RTE.  But in the RETURNING list and in any WITH CHECK
+ 			 * OPTION quals, we want such Vars to represent NEW values, so
+ 			 * change them to reference the new RTE.
+ 			 */
+ 			ChangeVarNodes((Node *) parse->returningList, rt_index,
+ 						   parse->resultRelation, 0);
+ 
+ 			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
+ 						   parse->resultRelation, 0);
+ 		}
+ 
+ 		/*
+ 		 * Process each security barrier qual in turn, starting with the
+ 		 * innermost one (the first in the list) and working outwards.
+ 		 *
+ 		 * We remove each qual from the list before processing it, so that its
+ 		 * variables aren't modified by expand_security_qual.  Also we don't
+ 		 * necessarily want the attributes referred to by the qual to be
+ 		 * exposed by the newly built subquery.
+ 		 */
+ 		while (rte->securityQuals != NIL)
+ 		{
+ 			Node   *qual = (Node *) linitial(rte->securityQuals);
+ 			rte->securityQuals = list_delete_first(rte->securityQuals);
+ 
+ 			ChangeVarNodes(qual, rt_index, 1, 0);
+ 			expand_security_qual(parse, tlist, rt_index, qual);
+ 		}
+ 	}
+ }
+ 
+ 
+ /*
+  * expand_security_qual -
+  *	  expand the specified security barrier qual on a query RTE, turning the
+  *	  RTE into a security barrier subquery.
+  */
+ static void
+ expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual)
+ {
+ 	RangeTblEntry  *rte;
+ 	Oid				relid;
+ 	Query		   *subquery;
+ 	RangeTblEntry  *subrte;
+ 	RangeTblRef	   *subrtr;
+ 	security_barrier_replace_vars_context context;
+ 	ListCell	   *cell;
+ 
+ 	rte = rt_fetch(rt_index, parse->rtable);
+ 	relid = rte->relid;
+ 
+ 	/*
+ 	 * There should only be 2 possible cases:
+ 	 *
+ 	 * 1. A relation RTE, which we turn into a subquery RTE containing all
+ 	 * referenced columns.
+ 	 *
+ 	 * 2. A subquery RTE (either from a prior call to this function or from an
+ 	 * expanded view).  In this case we build a new subquery on top of it to
+ 	 * isolate this security barrier qual from any other quals.
+ 	 */
+ 	switch (rte->rtekind)
+ 	{
+ 		case RTE_RELATION:
+ 			/*
+ 			 * Turn the relation RTE into a security barrier subquery RTE,
+ 			 * moving all permissions checks down into the subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 
+ 			subrte = copyObject(rte);
+ 			subrte->inFromCl = true;
+ 			subrte->securityQuals = NIL;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->rtekind = RTE_SUBQUERY;
+ 			rte->relid = InvalidOid;
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 			rte->inh = false;			/* must not be set for a subquery */
+ 
+ 			/* the permissions checks have now been moved down */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * Replace any variables in the outer query that refer to the
+ 			 * original relation RTE with references to columns that we will
+ 			 * expose in the new subquery, building the subquery's targetlist
+ 			 * as we go.
+ 			 */
+ 			context.rt_index = rt_index;
+ 			context.sublevels_up = 0;
+ 			context.rel = heap_open(relid, NoLock);
+ 			context.targetlist = NIL;
+ 			context.colnames = NIL;
+ 			context.vars_processed = NIL;
+ 
+ 			security_barrier_replace_vars((Node *) parse, &context);
+ 			security_barrier_replace_vars((Node *) tlist, &context);
+ 
+ 			heap_close(context.rel, NoLock);
+ 
+ 			/* Now we know what columns the subquery needs to expose */
+ 			rte->subquery->targetList = context.targetlist;
+ 			rte->eref = makeAlias(rte->eref->aliasname, context.colnames);
+ 
+ 			break;
+ 
+ 		case RTE_SUBQUERY:
+ 			/*
+ 			 * Build a new subquery that includes all the same columns as the
+ 			 * original subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 			subquery->targetList = NIL;
+ 
+ 			foreach(cell, rte->subquery->targetList)
+ 			{
+ 				TargetEntry	   *tle;
+ 				Var			   *var;
+ 
+ 				tle = (TargetEntry *) lfirst(cell);
+ 				var = makeVarFromTargetEntry(1, tle);
+ 
+ 				tle = makeTargetEntry((Expr *) var,
+ 									  list_length(subquery->targetList) + 1,
+ 									  pstrdup(tle->resname),
+ 									  tle->resjunk);
+ 				subquery->targetList = lappend(subquery->targetList, tle);
+ 			}
+ 
+ 			subrte = makeNode(RangeTblEntry);
+ 			subrte->rtekind = RTE_SUBQUERY;
+ 			subrte->subquery = rte->subquery;
+ 			subrte->security_barrier = rte->security_barrier;
+ 			subrte->eref = copyObject(rte->eref);
+ 			subrte->inFromCl = true;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 
+ 			break;
+ 
+ 		default:
+ 			elog(ERROR, "invalid range table entry for security barrier qual");
+ 	}
+ }
+ 
+ 
+ /*
+  * security_barrier_replace_vars -
+  *	  Apply security barrier variable replacement to an expression tree.
+  *
+  * This also builds/updates a targetlist with entries for each replacement
+  * variable that needs to be exposed by the security barrier subquery RTE.
+  *
+  * NOTE: although this has the form of a walker, we cheat and modify the
+  * nodes in-place.	The given expression tree should have been copied
+  * earlier to ensure that no unwanted side-effects occur!
+  */
+ static void
+ security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context)
+ {
+ 	/*
+ 	 * Must be prepared to start with a Query or a bare expression tree; if
+ 	 * it's a Query, go straight to query_tree_walker to make sure that
+ 	 * sublevels_up doesn't get incremented prematurely.
+ 	 */
+ 	if (node && IsA(node, Query))
+ 		query_tree_walker((Query *) node,
+ 						  security_barrier_replace_vars_walker,
+ 						  (void *) context, 0);
+ 	else
+ 		security_barrier_replace_vars_walker(node, context);
+ }
+ 
+ static bool
+ security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context)
+ {
+ 	if (node == NULL)
+ 		return false;
+ 	if (IsA(node, Var))
+ 	{
+ 		Var		   *var = (Var *) node;
+ 
+ 		/*
+ 		 * Note that the same Var may be present in different lists, so we
+ 		 * need to take care not to process it multiple times.
+ 		 */
+ 		if (var->varno == context->rt_index &&
+ 			var->varlevelsup == context->sublevels_up &&
+ 			!list_member_ptr(context->vars_processed, var))
+ 		{
+ 			/*
+ 			 * Found a matching variable. Make sure that it is in the subquery
+ 			 * targetlist and map its attno accordingly.
+ 			 */
+ 			AttrNumber	attno;
+ 			ListCell   *l;
+ 			TargetEntry *tle;
+ 			char	   *attname;
+ 			Var		   *newvar;
+ 
+ 			/* Search for the base attribute in the subquery targetlist */
+ 			attno = InvalidAttrNumber;
+ 			foreach(l, context->targetlist)
+ 			{
+ 				tle = (TargetEntry *) lfirst(l);
+ 				attno++;
+ 
+ 				Assert(IsA(tle->expr, Var));
+ 				if (((Var *) tle->expr)->varattno == var->varattno &&
+ 					((Var *) tle->expr)->varcollid == var->varcollid)
+ 				{
+ 					/* Map the variable onto this subquery targetlist entry */
+ 					var->varattno = attno;
+ 					return false;
+ 				}
+ 			}
+ 
+ 			/* Not in the subquery targetlist, so add it. Get its name. */
+ 			if (var->varattno < 0)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = SystemAttributeDefinition(var->varattno,
+ 													context->rel->rd_rel->relhasoids);
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else if (var->varattno == InvalidAttrNumber)
+ 			{
+ 				attname = "wholerow";
+ 			}
+ 			else if (var->varattno <= context->rel->rd_att->natts)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = context->rel->rd_att->attrs[var->varattno - 1];
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else
+ 			{
+ 				elog(ERROR, "invalid attribute number %d in security_barrier_replace_vars", var->varattno);
+ 			}
+ 
+ 			/* New variable for subquery targetlist */
+ 			newvar = copyObject(var);
+ 			newvar->varno = 1;
+ 
+ 			attno = list_length(context->targetlist) + 1;
+ 			tle = makeTargetEntry((Expr *) newvar,
+ 								  attno,
+ 								  pstrdup(attname),
+ 								  false);
+ 
+ 			context->targetlist = lappend(context->targetlist, tle);
+ 
+ 			context->colnames = lappend(context->colnames,
+ 										makeString(pstrdup(attname)));
+ 
+ 			/* Update the outer query's variable */
+ 			var->varattno = attno;
+ 
+ 			/* Remember this Var so that we don't process it again */
+ 			context->vars_processed = lappend(context->vars_processed, var);
+ 		}
+ 		return false;
+ 	}
+ 
+ 	if (IsA(node, Query))
+ 	{
+ 		/* Recurse into subselects */
+ 		bool		result;
+ 
+ 		context->sublevels_up++;
+ 		result = query_tree_walker((Query *) node,
+ 								   security_barrier_replace_vars_walker,
+ 								   (void *) context, 0);
+ 		context->sublevels_up--;
+ 		return result;
+ 	}
+ 	return expression_tree_walker(node, security_barrier_replace_vars_walker,
+ 								  (void *) context);
+ }
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
new file mode 100644
index 50cb753..c1004f1
*** a/src/backend/rewrite/rewriteHandler.c
--- b/src/backend/rewrite/rewriteHandler.c
*************** view_col_is_auto_updatable(RangeTblRef *
*** 1973,1980 ****
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
! 							 bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
--- 1973,1979 ----
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
*************** view_query_is_auto_updatable(Query *view
*** 2048,2061 ****
  		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
  
  	/*
- 	 * For now, we also don't support security-barrier views, because of the
- 	 * difficulty of keeping upper-level qual expressions away from
- 	 * lower-level data.  This might get relaxed in the future.
- 	 */
- 	if (security_barrier)
- 		return gettext_noop("Security-barrier views are not automatically updatable.");
- 
- 	/*
  	 * The view query should select from a single base relation, which must be
  	 * a table or another view.
  	 */
--- 2047,2052 ----
*************** relation_is_updatable(Oid reloid,
*** 2303,2311 ****
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery,
! 										 RelationIsSecurityView(rel),
! 										 false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
--- 2294,2300 ----
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery, false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
*************** rewriteTargetView(Query *parsetree, Rela
*** 2460,2466 ****
  
  	auto_update_detail =
  		view_query_is_auto_updatable(viewquery,
- 									 RelationIsSecurityView(view),
  									 parsetree->commandType != CMD_DELETE);
  
  	if (auto_update_detail)
--- 2449,2454 ----
*************** rewriteTargetView(Query *parsetree, Rela
*** 2664,2669 ****
--- 2652,2665 ----
  												   view_targetlist);
  
  	/*
+ 	 * Move any security barrier quals from the view RTE onto the new target
+ 	 * RTE.  Any such quals should now apply to the new target RTE and will not
+ 	 * reference the original view RTE in the rewritten query.
+ 	 */
+ 	new_rte->securityQuals = view_rte->securityQuals;
+ 	view_rte->securityQuals = NIL;
+ 
+ 	/*
  	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
  	 * TLE for the view to the end of the targetlist, which we no longer need.
  	 * Remove it to avoid unnecessary work when we process the targetlist.
*************** rewriteTargetView(Query *parsetree, Rela
*** 2743,2748 ****
--- 2739,2748 ----
  	 * only adjust their varnos to reference the new target (just the same as
  	 * we did with the view targetlist).
  	 *
+ 	 * Note that there is special-case handling for the quals of a security
+ 	 * barrier view, since they need to be kept separate from any user-supplied
+ 	 * quals, so these quals are kept on the new target RTE.
+ 	 *
  	 * For INSERT, the view's quals can be ignored in the main query.
  	 */
  	if (parsetree->commandType != CMD_INSERT &&
*************** rewriteTargetView(Query *parsetree, Rela
*** 2751,2757 ****
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 		AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
--- 2751,2771 ----
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 
! 		if (RelationIsSecurityView(view))
! 		{
! 			/*
! 			 * Note: the parsetree has been mutated, so the new_rte pointer is
! 			 * stale and needs to be re-computed.
! 			 */
! 			new_rte = rt_fetch(new_rt_index, parsetree->rtable);
! 			new_rte->securityQuals = lcons(viewqual, new_rte->securityQuals);
! 
! 			if (!parsetree->hasSubLinks)
! 				parsetree->hasSubLinks = checkExprHasSubLink(viewqual);
! 		}
! 		else
! 			AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
*************** rewriteTargetView(Query *parsetree, Rela
*** 2813,2821 ****
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added to the
! 				 * query's WHERE clause, and AddQual will have already done
! 				 * this check.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
--- 2827,2834 ----
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added, and this
! 				 * check will already have been done.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
new file mode 100644
index e89d930..36c5c98
*** a/src/include/nodes/parsenodes.h
--- b/src/include/nodes/parsenodes.h
*************** typedef struct RangeTblEntry
*** 801,806 ****
--- 801,807 ----
  	Oid			checkAsUser;	/* if valid, check access as this role */
  	Bitmapset  *selectedCols;	/* columns needing SELECT permission */
  	Bitmapset  *modifiedCols;	/* columns needing INSERT/UPDATE permission */
+ 	List	   *securityQuals;	/* any security barrier quals to apply */
  } RangeTblEntry;
  
  /*
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
new file mode 100644
index 0934e63..e9d865d
*** a/src/include/optimizer/prep.h
--- b/src/include/optimizer/prep.h
*************** extern Node *negate_clause(Node *node);
*** 36,41 ****
--- 36,46 ----
  extern Expr *canonicalize_qual(Expr *qual);
  
  /*
+  * prototypes for prepsecurity.c
+  */
+ extern void expand_security_quals(PlannerInfo *root, List *tlist);
+ 
+ /*
   * prototypes for preptlist.c
   */
  extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
new file mode 100644
index c959590..ce56d7b
*** a/src/include/rewrite/rewriteHandler.h
--- b/src/include/rewrite/rewriteHandler.h
*************** extern void AcquireRewriteLocks(Query *p
*** 23,29 ****
  extern Node *build_column_default(Relation rel, int attrno);
  extern Query *get_view_query(Relation view);
  extern const char *view_query_is_auto_updatable(Query *viewquery,
- 										 bool security_barrier,
  										 bool check_cols);
  extern int	relation_is_updatable(Oid reloid,
  						  bool include_triggers,
--- 23,28 ----
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
new file mode 100644
index 91d1639..f6db582
*** a/src/test/regress/expected/create_view.out
--- b/src/test/regress/expected/create_view.out
*************** CREATE VIEW mysecview4 WITH (security_ba
*** 252,258 ****
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  security_barrier requires a Boolean value
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
--- 252,258 ----
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  invalid value for boolean option "security_barrier": 100
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
new file mode 100644
index 99c9165..d12d384
*** a/src/test/regress/expected/updatable_views.out
--- b/src/test/regress/expected/updatable_views.out
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 22,33 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
--- 22,31 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
*************** SELECT table_name, is_insertable_into
*** 44,50 ****
   ro_view19  | NO
   ro_view2   | NO
   ro_view20  | NO
-  ro_view21  | NO
   ro_view3   | NO
   ro_view4   | NO
   ro_view5   | NO
--- 42,47 ----
*************** SELECT table_name, is_insertable_into
*** 55,61 ****
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (21 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
--- 52,58 ----
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (20 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
*************** SELECT table_name, is_updatable, is_inse
*** 73,79 ****
   ro_view19  | NO           | NO
   ro_view2   | NO           | NO
   ro_view20  | NO           | NO
-  ro_view21  | NO           | NO
   ro_view3   | NO           | NO
   ro_view4   | NO           | NO
   ro_view5   | NO           | NO
--- 70,75 ----
*************** SELECT table_name, is_updatable, is_inse
*** 84,90 ****
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (21 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
--- 80,86 ----
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (20 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
*************** SELECT table_name, column_name, is_updat
*** 103,125 ****
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view18  | b             | NO
!  ro_view19  | a             | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | sequence_name | NO
!  ro_view20  | last_value    | NO
!  ro_view20  | start_value   | NO
!  ro_view20  | increment_by  | NO
!  ro_view20  | max_value     | NO
!  ro_view20  | min_value     | NO
!  ro_view20  | cache_value   | NO
!  ro_view20  | log_cnt       | NO
!  ro_view20  | is_cycled     | NO
!  ro_view20  | is_called     | NO
!  ro_view21  | a             | NO
!  ro_view21  | b             | NO
!  ro_view21  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
--- 99,119 ----
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view19  | sequence_name | NO
!  ro_view19  | last_value    | NO
!  ro_view19  | start_value   | NO
!  ro_view19  | increment_by  | NO
!  ro_view19  | max_value     | NO
!  ro_view19  | min_value     | NO
!  ro_view19  | cache_value   | NO
!  ro_view19  | log_cnt       | NO
!  ro_view19  | is_cycled     | NO
!  ro_view19  | is_called     | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | a             | NO
!  ro_view20  | b             | NO
!  ro_view20  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
*************** SELECT table_name, column_name, is_updat
*** 140,146 ****
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (48 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
--- 134,140 ----
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (46 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
*************** INSERT INTO ro_view17 VALUES (3, 'ROW 3'
*** 268,291 ****
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! ERROR:  cannot insert into view "ro_view18"
! DETAIL:  Security-barrier views are not automatically updatable.
! HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view19;
! ERROR:  cannot delete from view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view20 SET max_value=1000;
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view21 SET b=upper(b);
! ERROR:  cannot update view "ro_view21"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 17 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
--- 262,281 ----
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view18;
! ERROR:  cannot delete from view "ro_view18"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view19 SET max_value=1000;
! ERROR:  cannot update view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view20 SET b=upper(b);
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 16 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
*************** drop cascades to view ro_view11
*** 299,311 ****
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view18
! drop cascades to view ro_view21
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view20
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
--- 289,300 ----
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view20
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view19
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
*************** INSERT INTO rw_view2 VALUES (2,3); -- ok
*** 1739,1742 ****
--- 1728,1923 ----
  DROP TABLE base_tbl CASCADE;
  NOTICE:  drop cascades to 2 other objects
  DETAIL:  drop cascades to view rw_view1
+ drop cascades to view rw_view2
+ -- security barrier view
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view1   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view1   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view1   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+                   QUERY PLAN                   
+ -----------------------------------------------
+  Subquery Scan on rw_view1
+    Filter: snoop(rw_view1.person)
+    ->  Seq Scan on base_tbl
+          Filter: (visibility = 'public'::text)
+ (4 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ -- security barrier view on top of security barrier view
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view2   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view2   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view2   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Subquery Scan on rw_view2
+    Filter: snoop(rw_view2.person)
+    ->  Subquery Scan on rw_view1
+          Filter: snoop(rw_view1.person)
+          ->  Seq Scan on base_tbl
+                Filter: (visibility = 'public'::text)
+ (6 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to 2 other objects
+ DETAIL:  drop cascades to view rw_view1
  drop cascades to view rw_view2
diff --git a/src/test/regress/sql/updatable_views.sql b/src/test/regress/sql/updatable_views.sql
new file mode 100644
index a77cf19..6b352c1
*** a/src/test/regress/sql/updatable_views.sql
--- b/src/test/regress/sql/updatable_views.sql
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 25,36 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
--- 25,34 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
*************** SELECT * FROM base_tbl;
*** 87,99 ****
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! DELETE FROM ro_view19;
! UPDATE ro_view20 SET max_value=1000;
! UPDATE ro_view21 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
--- 85,96 ----
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! DELETE FROM ro_view18;
! UPDATE ro_view19 SET max_value=1000;
! UPDATE ro_view20 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
*************** CREATE VIEW rw_view2 AS
*** 828,830 ****
--- 825,902 ----
    SELECT * FROM rw_view1 WHERE a > b WITH LOCAL CHECK OPTION;
  INSERT INTO rw_view2 VALUES (2,3); -- ok, but not in view (doesn't fail rw_view2's check)
  DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view
+ 
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ 
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ 
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ -- security barrier view on top of security barrier view
+ 
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ DROP TABLE base_tbl CASCADE;

diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml
new file mode 100644
index e0fbe1e..888410f
*** a/doc/src/sgml/ref/create_view.sgml
--- b/doc/src/sgml/ref/create_view.sgml
*************** CREATE VIEW vista AS SELECT text 'Hello
*** 323,334 ****
         or set-returning functions.
        </para>
       </listitem>
- 
-      <listitem>
-       <para>
-        The view must not have the <literal>security_barrier</> property.
-       </para>
-      </listitem>
      </itemizedlist>
     </para>
  
--- 323,328 ----
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
new file mode 100644
index 466d757..5b7e31a
*** a/src/backend/commands/tablecmds.c
--- b/src/backend/commands/tablecmds.c
*************** ATExecSetRelOptions(Relation rel, List *
*** 8806,8812 ****
  		List	   *view_options = untransformRelOptions(newOptions);
  		ListCell   *cell;
  		bool		check_option = false;
- 		bool		security_barrier = false;
  
  		foreach(cell, view_options)
  		{
--- 8806,8811 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8814,8821 ****
  
  			if (pg_strcasecmp(defel->defname, "check_option") == 0)
  				check_option = true;
- 			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 				security_barrier = defGetBoolean(defel);
  		}
  
  		/*
--- 8813,8818 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8825,8832 ****
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query,
! 											 security_barrier, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
--- 8822,8828 ----
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
new file mode 100644
index 1735762..bc08566
*** a/src/backend/commands/view.c
--- b/src/backend/commands/view.c
*************** DefineView(ViewStmt *stmt, const char *q
*** 396,402 ****
  	RangeVar   *view;
  	ListCell   *cell;
  	bool		check_option;
- 	bool		security_barrier;
  
  	/*
  	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
--- 396,401 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 451,457 ****
  	 * specified.
  	 */
  	check_option = false;
- 	security_barrier = false;
  
  	foreach(cell, stmt->options)
  	{
--- 450,455 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 459,466 ****
  
  		if (pg_strcasecmp(defel->defname, "check_option") == 0)
  			check_option = true;
- 		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 			security_barrier = defGetBoolean(defel);
  	}
  
  	/*
--- 457,462 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 470,476 ****
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, security_barrier, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
--- 466,472 ----
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
new file mode 100644
index fb4ce2c..e8cdbfb
*** a/src/backend/nodes/copyfuncs.c
--- b/src/backend/nodes/copyfuncs.c
*************** _copyRangeTblEntry(const RangeTblEntry *
*** 1998,2003 ****
--- 1998,2004 ----
  	COPY_SCALAR_FIELD(checkAsUser);
  	COPY_BITMAPSET_FIELD(selectedCols);
  	COPY_BITMAPSET_FIELD(modifiedCols);
+ 	COPY_NODE_FIELD(securityQuals);
  
  	return newnode;
  }
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
new file mode 100644
index ccf7267..0411519
*** a/src/backend/nodes/equalfuncs.c
--- b/src/backend/nodes/equalfuncs.c
*************** _equalRangeTblEntry(const RangeTblEntry
*** 2278,2283 ****
--- 2278,2284 ----
  	COMPARE_SCALAR_FIELD(checkAsUser);
  	COMPARE_BITMAPSET_FIELD(selectedCols);
  	COMPARE_BITMAPSET_FIELD(modifiedCols);
+ 	COMPARE_NODE_FIELD(securityQuals);
  
  	return true;
  }
diff --git a/src/backend/nodes/nodeFuncs.c b/src/backend/nodes/nodeFuncs.c
new file mode 100644
index 123f2a6..1e48a7f
*** a/src/backend/nodes/nodeFuncs.c
--- b/src/backend/nodes/nodeFuncs.c
*************** range_table_walker(List *rtable,
*** 2020,2025 ****
--- 2020,2028 ----
  					return true;
  				break;
  		}
+ 
+ 		if (walker(rte->securityQuals, context))
+ 			return true;
  	}
  	return false;
  }
*************** range_table_mutator(List *rtable,
*** 2755,2760 ****
--- 2758,2764 ----
  				MUTATE(newrte->values_lists, rte->values_lists, List *);
  				break;
  		}
+ 		MUTATE(newrte->securityQuals, rte->securityQuals, List *);
  		newrt = lappend(newrt, newrte);
  	}
  	return newrt;
diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c
new file mode 100644
index 568c3b8..a0e3286
*** a/src/backend/nodes/outfuncs.c
--- b/src/backend/nodes/outfuncs.c
*************** _outRangeTblEntry(StringInfo str, const
*** 2409,2414 ****
--- 2409,2415 ----
  	WRITE_OID_FIELD(checkAsUser);
  	WRITE_BITMAPSET_FIELD(selectedCols);
  	WRITE_BITMAPSET_FIELD(modifiedCols);
+ 	WRITE_NODE_FIELD(securityQuals);
  }
  
  static void
diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c
new file mode 100644
index 8a7a662..c81c5cb
*** a/src/backend/nodes/readfuncs.c
--- b/src/backend/nodes/readfuncs.c
*************** _readRangeTblEntry(void)
*** 1250,1255 ****
--- 1250,1256 ----
  	READ_OID_FIELD(checkAsUser);
  	READ_BITMAPSET_FIELD(selectedCols);
  	READ_BITMAPSET_FIELD(modifiedCols);
+ 	READ_NODE_FIELD(securityQuals);
  
  	READ_DONE();
  }
diff --git a/src/backend/optimizer/plan/planner.c b/src/backend/optimizer/plan/planner.c
new file mode 100644
index 35bda67..1beb6c8
*** a/src/backend/optimizer/plan/planner.c
--- b/src/backend/optimizer/plan/planner.c
*************** inheritance_planner(PlannerInfo *root)
*** 916,921 ****
--- 916,927 ----
  		subplan = grouping_planner(&subroot, 0.0 /* retrieve all tuples */ );
  
  		/*
+ 		 * Planning may have modified the query result relation (if there
+ 		 * were security barrier quals on the result RTE).
+ 		 */
+ 		appinfo->child_relid = subroot.parse->resultRelation;
+ 
+ 		/*
  		 * If this child rel was excluded by constraint exclusion, exclude it
  		 * from the result plan.
  		 */
*************** inheritance_planner(PlannerInfo *root)
*** 932,940 ****
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 			final_rtable = list_concat(final_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
--- 938,969 ----
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 		{
! 			List	   *tmp_rtable = NIL;
! 			ListCell   *cell1, *cell2;
! 
! 			/*
! 			 * Planning this new child may have turned some of the original
! 			 * RTEs into subqueries (if they had security barrier quals). If
! 			 * so, we want to use these in the final rtable.
! 			 */
! 			forboth(cell1, final_rtable, cell2, subroot.parse->rtable)
! 			{
! 				RangeTblEntry *rte1 = (RangeTblEntry *) lfirst(cell1);
! 				RangeTblEntry *rte2 = (RangeTblEntry *) lfirst(cell2);
! 
! 				if (rte1->rtekind == RTE_RELATION &&
! 					rte1->securityQuals != NIL &&
! 					rte2->rtekind == RTE_SUBQUERY)
! 					tmp_rtable = lappend(tmp_rtable, rte2);
! 				else
! 					tmp_rtable = lappend(tmp_rtable, rte1);
! 			}
! 
! 			final_rtable = list_concat(tmp_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
+ 		}
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
*************** grouping_planner(PlannerInfo *root, doub
*** 1163,1168 ****
--- 1192,1203 ----
  		tlist = preprocess_targetlist(root, tlist);
  
  		/*
+ 		 * Expand any rangetable entries that have security barrier quals.
+ 		 * This may add new security barrier subquery RTEs to the rangetable.
+ 		 */
+ 		expand_security_quals(root, tlist);
+ 
+ 		/*
  		 * Locate any window functions in the tlist.  (We don't need to look
  		 * anywhere else, since expressions used in ORDER BY will be in there
  		 * too.)  Note that they could all have been eliminated by constant
diff --git a/src/backend/optimizer/prep/Makefile b/src/backend/optimizer/prep/Makefile
new file mode 100644
index 86301bf..5195d9b
*** a/src/backend/optimizer/prep/Makefile
--- b/src/backend/optimizer/prep/Makefile
*************** subdir = src/backend/optimizer/prep
*** 12,17 ****
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
--- 12,17 ----
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o prepsecurity.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
new file mode 100644
index ...e7a3f56
*** a/src/backend/optimizer/prep/prepsecurity.c
--- b/src/backend/optimizer/prep/prepsecurity.c
***************
*** 0 ****
--- 1,423 ----
+ /*-------------------------------------------------------------------------
+  *
+  * prepsecurity.c
+  *	  Routines for preprocessing security barrier quals.
+  *
+  * Portions Copyright (c) 1996-2013, PostgreSQL Global Development Group
+  * Portions Copyright (c) 1994, Regents of the University of California
+  *
+  *
+  * IDENTIFICATION
+  *	  src/backend/optimizer/prep/prepsecurity.c
+  *
+  *-------------------------------------------------------------------------
+  */
+ #include "postgres.h"
+ 
+ #include "access/heapam.h"
+ #include "access/sysattr.h"
+ #include "catalog/heap.h"
+ #include "nodes/makefuncs.h"
+ #include "nodes/nodeFuncs.h"
+ #include "optimizer/prep.h"
+ #include "parser/parsetree.h"
+ #include "rewrite/rewriteManip.h"
+ #include "utils/rel.h"
+ 
+ 
+ typedef struct
+ {
+ 	int			rt_index;		/* Index of security barrier RTE */
+ 	int			sublevels_up;	/* Current nesting depth */
+ 	Relation	rel;			/* RTE relation at rt_index */
+ 	List	   *targetlist;		/* Targetlist for new subquery RTE */
+ 	List	   *colnames;		/* Column names in subquery RTE */
+ 	List	   *vars_processed;	/* List of Vars already processed */
+ } security_barrier_replace_vars_context;
+ 
+ static void expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual);
+ 
+ static void security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context);
+ 
+ static bool security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context);
+ 
+ 
+ /*
+  * expand_security_quals -
+  *	  expands any security barrier quals on RTEs in the query rtable, turning
+  *	  them into security barrier subqueries.
+  *
+  * Any given RTE may have multiple security barrier quals in a list, from which
+  * we create a set of nested subqueries to isolate each security barrier from
+  * the others, providing protection against malicious user-defined security
+  * barriers.  The first security barrier qual in the list will be used in the
+  * innermost subquery.
+  */
+ void
+ expand_security_quals(PlannerInfo *root, List *tlist)
+ {
+ 	Query	   *parse = root->parse;
+ 	int			rt_index;
+ 
+ 	/*
+ 	 * Process each RTE in the rtable list.
+ 	 *
+ 	 * Note that this is deliberately not a foreach loop, since the rtable may
+ 	 * be modified each time through the loop.
+ 	 */
+ 	rt_index = 0;
+ 	while (rt_index < list_length(parse->rtable))
+ 	{
+ 		RangeTblEntry *rte;
+ 
+ 		rt_index++;
+ 		rte = rt_fetch(rt_index, parse->rtable);
+ 
+ 		if (rte->securityQuals == NIL)
+ 			continue;
+ 
+ 		/*
+ 		 * Ignore any RTEs that aren't used in the query (such RTEs may be
+ 		 * present for permissions checks).
+ 		 */
+ 		if (rt_index != parse->resultRelation &&
+ 			!rangeTableEntry_used((Node *) parse, rt_index, 0))
+ 			continue;
+ 
+ 		/*
+ 		 * If this RTE is the target then we need to make a copy of it before
+ 		 * expanding it.  The unexpanded copy will become the new target, and
+ 		 * the original RTE will be expanded to become the source of rows to
+ 		 * update/delete.
+ 		 */
+ 		if (rt_index == parse->resultRelation)
+ 		{
+ 			RangeTblEntry *newrte = copyObject(rte);
+ 			parse->rtable = lappend(parse->rtable, newrte);
+ 			parse->resultRelation = list_length(parse->rtable);
+ 
+ 			/*
+ 			 * Wipe out any copied security barrier quals on the new target to
+ 			 * prevent infinite recursion.
+ 			 */
+ 			newrte->securityQuals = NIL;
+ 
+ 			/*
+ 			 * There's no need to do permissions checks twice, so wipe out the
+ 			 * permissions info for the original RTE (we prefer to keep the
+ 			 * bits set on the result RTE).
+ 			 */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * For the most part, Vars referencing the original relation should
+ 			 * remain as they are, meaning that they pull OLD values from the
+ 			 * expanded RTE.  But in the RETURNING list and in any WITH CHECK
+ 			 * OPTION quals, we want such Vars to represent NEW values, so
+ 			 * change them to reference the new RTE.
+ 			 */
+ 			ChangeVarNodes((Node *) parse->returningList, rt_index,
+ 						   parse->resultRelation, 0);
+ 
+ 			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
+ 						   parse->resultRelation, 0);
+ 		}
+ 
+ 		/*
+ 		 * Process each security barrier qual in turn, starting with the
+ 		 * innermost one (the first in the list) and working outwards.
+ 		 *
+ 		 * We remove each qual from the list before processing it, so that its
+ 		 * variables aren't modified by expand_security_qual.  Also we don't
+ 		 * necessarily want the attributes referred to by the qual to be
+ 		 * exposed by the newly built subquery.
+ 		 */
+ 		while (rte->securityQuals != NIL)
+ 		{
+ 			Node   *qual = (Node *) linitial(rte->securityQuals);
+ 			rte->securityQuals = list_delete_first(rte->securityQuals);
+ 
+ 			ChangeVarNodes(qual, rt_index, 1, 0);
+ 			expand_security_qual(parse, tlist, rt_index, qual);
+ 		}
+ 	}
+ }
+ 
+ 
+ /*
+  * expand_security_qual -
+  *	  expand the specified security barrier qual on a query RTE, turning the
+  *	  RTE into a security barrier subquery.
+  */
+ static void
+ expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual)
+ {
+ 	RangeTblEntry  *rte;
+ 	Oid				relid;
+ 	Query		   *subquery;
+ 	RangeTblEntry  *subrte;
+ 	RangeTblRef	   *subrtr;
+ 	security_barrier_replace_vars_context context;
+ 	ListCell	   *cell;
+ 
+ 	rte = rt_fetch(rt_index, parse->rtable);
+ 	relid = rte->relid;
+ 
+ 	/*
+ 	 * There should only be 2 possible cases:
+ 	 *
+ 	 * 1. A relation RTE, which we turn into a subquery RTE containing all
+ 	 * referenced columns.
+ 	 *
+ 	 * 2. A subquery RTE (either from a prior call to this function or from an
+ 	 * expanded view).  In this case we build a new subquery on top of it to
+ 	 * isolate this security barrier qual from any other quals.
+ 	 */
+ 	switch (rte->rtekind)
+ 	{
+ 		case RTE_RELATION:
+ 			/*
+ 			 * Turn the relation RTE into a security barrier subquery RTE,
+ 			 * moving all permissions checks down into the subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 
+ 			subrte = copyObject(rte);
+ 			subrte->inFromCl = true;
+ 			subrte->securityQuals = NIL;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->rtekind = RTE_SUBQUERY;
+ 			rte->relid = InvalidOid;
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 			rte->inh = false;			/* must not be set for a subquery */
+ 
+ 			/* the permissions checks have now been moved down */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * Replace any variables in the outer query that refer to the
+ 			 * original relation RTE with references to columns that we will
+ 			 * expose in the new subquery, building the subquery's targetlist
+ 			 * as we go.
+ 			 */
+ 			context.rt_index = rt_index;
+ 			context.sublevels_up = 0;
+ 			context.rel = heap_open(relid, NoLock);
+ 			context.targetlist = NIL;
+ 			context.colnames = NIL;
+ 			context.vars_processed = NIL;
+ 
+ 			security_barrier_replace_vars((Node *) parse, &context);
+ 			security_barrier_replace_vars((Node *) tlist, &context);
+ 
+ 			heap_close(context.rel, NoLock);
+ 
+ 			/* Now we know what columns the subquery needs to expose */
+ 			rte->subquery->targetList = context.targetlist;
+ 			rte->eref = makeAlias(rte->eref->aliasname, context.colnames);
+ 
+ 			break;
+ 
+ 		case RTE_SUBQUERY:
+ 			/*
+ 			 * Build a new subquery that includes all the same columns as the
+ 			 * original subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 			subquery->targetList = NIL;
+ 
+ 			foreach(cell, rte->subquery->targetList)
+ 			{
+ 				TargetEntry	   *tle;
+ 				Var			   *var;
+ 
+ 				tle = (TargetEntry *) lfirst(cell);
+ 				var = makeVarFromTargetEntry(1, tle);
+ 
+ 				tle = makeTargetEntry((Expr *) var,
+ 									  list_length(subquery->targetList) + 1,
+ 									  pstrdup(tle->resname),
+ 									  tle->resjunk);
+ 				subquery->targetList = lappend(subquery->targetList, tle);
+ 			}
+ 
+ 			subrte = makeNode(RangeTblEntry);
+ 			subrte->rtekind = RTE_SUBQUERY;
+ 			subrte->subquery = rte->subquery;
+ 			subrte->security_barrier = rte->security_barrier;
+ 			subrte->eref = copyObject(rte->eref);
+ 			subrte->inFromCl = true;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 
+ 			break;
+ 
+ 		default:
+ 			elog(ERROR, "invalid range table entry for security barrier qual");
+ 	}
+ }
+ 
+ 
+ /*
+  * security_barrier_replace_vars -
+  *	  Apply security barrier variable replacement to an expression tree.
+  *
+  * This also builds/updates a targetlist with entries for each replacement
+  * variable that needs to be exposed by the security barrier subquery RTE.
+  *
+  * NOTE: although this has the form of a walker, we cheat and modify the
+  * nodes in-place.	The given expression tree should have been copied
+  * earlier to ensure that no unwanted side-effects occur!
+  */
+ static void
+ security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context)
+ {
+ 	/*
+ 	 * Must be prepared to start with a Query or a bare expression tree; if
+ 	 * it's a Query, go straight to query_tree_walker to make sure that
+ 	 * sublevels_up doesn't get incremented prematurely.
+ 	 */
+ 	if (node && IsA(node, Query))
+ 		query_tree_walker((Query *) node,
+ 						  security_barrier_replace_vars_walker,
+ 						  (void *) context, 0);
+ 	else
+ 		security_barrier_replace_vars_walker(node, context);
+ }
+ 
+ static bool
+ security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context)
+ {
+ 	if (node == NULL)
+ 		return false;
+ 	if (IsA(node, Var))
+ 	{
+ 		Var		   *var = (Var *) node;
+ 
+ 		/*
+ 		 * Note that the same Var may be present in different lists, so we
+ 		 * need to take care not to process it multiple times.
+ 		 */
+ 		if (var->varno == context->rt_index &&
+ 			var->varlevelsup == context->sublevels_up &&
+ 			!list_member_ptr(context->vars_processed, var))
+ 		{
+ 			/*
+ 			 * Found a matching variable. Make sure that it is in the subquery
+ 			 * targetlist and map its attno accordingly.
+ 			 */
+ 			AttrNumber	attno;
+ 			ListCell   *l;
+ 			TargetEntry *tle;
+ 			char	   *attname;
+ 			Var		   *newvar;
+ 
+ 			/* Search for the base attribute in the subquery targetlist */
+ 			attno = InvalidAttrNumber;
+ 			foreach(l, context->targetlist)
+ 			{
+ 				tle = (TargetEntry *) lfirst(l);
+ 				attno++;
+ 
+ 				Assert(IsA(tle->expr, Var));
+ 				if (((Var *) tle->expr)->varattno == var->varattno &&
+ 					((Var *) tle->expr)->varcollid == var->varcollid)
+ 				{
+ 					/* Map the variable onto this subquery targetlist entry */
+ 					var->varattno = attno;
+ 					return false;
+ 				}
+ 			}
+ 
+ 			/* Not in the subquery targetlist, so add it. Get its name. */
+ 			if (var->varattno < 0)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = SystemAttributeDefinition(var->varattno,
+ 													context->rel->rd_rel->relhasoids);
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else if (var->varattno == InvalidAttrNumber)
+ 			{
+ 				attname = "wholerow";
+ 			}
+ 			else if (var->varattno <= context->rel->rd_att->natts)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = context->rel->rd_att->attrs[var->varattno - 1];
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else
+ 			{
+ 				elog(ERROR, "invalid attribute number %d in security_barrier_replace_vars", var->varattno);
+ 			}
+ 
+ 			/* New variable for subquery targetlist */
+ 			newvar = copyObject(var);
+ 			newvar->varno = 1;
+ 
+ 			attno = list_length(context->targetlist) + 1;
+ 			tle = makeTargetEntry((Expr *) newvar,
+ 								  attno,
+ 								  pstrdup(attname),
+ 								  false);
+ 
+ 			context->targetlist = lappend(context->targetlist, tle);
+ 
+ 			context->colnames = lappend(context->colnames,
+ 										makeString(pstrdup(attname)));
+ 
+ 			/* Update the outer query's variable */
+ 			var->varattno = attno;
+ 
+ 			/* Remember this Var so that we don't process it again */
+ 			context->vars_processed = lappend(context->vars_processed, var);
+ 		}
+ 		return false;
+ 	}
+ 
+ 	if (IsA(node, Query))
+ 	{
+ 		/* Recurse into subselects */
+ 		bool		result;
+ 
+ 		context->sublevels_up++;
+ 		result = query_tree_walker((Query *) node,
+ 								   security_barrier_replace_vars_walker,
+ 								   (void *) context, 0);
+ 		context->sublevels_up--;
+ 		return result;
+ 	}
+ 	return expression_tree_walker(node, security_barrier_replace_vars_walker,
+ 								  (void *) context);
+ }
diff --git a/src/backend/optimizer/prep/prepunion.c b/src/backend/optimizer/prep/prepunion.c
new file mode 100644
index 52dcc72..c7e0199
*** a/src/backend/optimizer/prep/prepunion.c
--- b/src/backend/optimizer/prep/prepunion.c
*************** typedef struct
*** 55,60 ****
--- 55,61 ----
  {
  	PlannerInfo *root;
  	AppendRelInfo *appinfo;
+ 	int			sublevels_up;
  } adjust_appendrel_attrs_context;
  
  static Plan *recurse_set_operations(Node *setOp, PlannerInfo *root,
*************** translate_col_privs(const Bitmapset *par
*** 1580,1587 ****
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is only applied after conversion of sublinks to subplans,
!  * so we don't need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
--- 1581,1589 ----
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is applied after conversion of sublinks to subplans in the
!  * query jointree, but there may still be sublinks in the security barrier
!  * quals of RTEs, so we do need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
*************** adjust_appendrel_attrs(PlannerInfo *root
*** 1594,1602 ****
  
  	context.root = root;
  	context.appinfo = appinfo;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree.
  	 */
  	if (node && IsA(node, Query))
  	{
--- 1596,1607 ----
  
  	context.root = root;
  	context.appinfo = appinfo;
+ 	context.sublevels_up = 0;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree; if
! 	 * it's a Query, go straight to query_tree_walker to make sure that
! 	 * sublevels_up doesn't get incremented prematurely.
  	 */
  	if (node && IsA(node, Query))
  	{
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1635,1641 ****
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == 0 &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
--- 1640,1646 ----
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == context->sublevels_up &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1652,1657 ****
--- 1657,1663 ----
  				if (newnode == NULL)
  					elog(ERROR, "attribute %d of relation \"%s\" does not exist",
  						 var->varattno, get_rel_name(appinfo->parent_reloid));
+ 				((Var *) newnode)->varlevelsup += context->sublevels_up;
  				return newnode;
  			}
  			else if (var->varattno == 0)
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1694,1703 ****
--- 1700,1715 ----
  					RowExpr    *rowexpr;
  					List	   *fields;
  					RangeTblEntry *rte;
+ 					ListCell   *lc;
  
  					rte = rt_fetch(appinfo->parent_relid,
  								   context->root->parse->rtable);
  					fields = (List *) copyObject(appinfo->translated_vars);
+ 					foreach(lc, fields)
+ 					{
+ 						Var		   *field = (Var *) lfirst(lc);
+ 						field->varlevelsup += context->sublevels_up;
+ 					}
  					rowexpr = makeNode(RowExpr);
  					rowexpr->args = fields;
  					rowexpr->row_typeid = var->vartype;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1716,1722 ****
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
--- 1728,1735 ----
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1724,1730 ****
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
--- 1737,1744 ----
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1737,1743 ****
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
--- 1751,1758 ----
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (context->sublevels_up == 0 &&
! 			j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1750,1756 ****
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == 0)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
--- 1765,1771 ----
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == context->sublevels_up)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1822,1833 ****
  		return (Node *) newinfo;
  	}
  
! 	/*
! 	 * NOTE: we do not need to recurse into sublinks, because they should
! 	 * already have been converted to subplans before we see them.
! 	 */
! 	Assert(!IsA(node, SubLink));
! 	Assert(!IsA(node, Query));
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
--- 1837,1862 ----
  		return (Node *) newinfo;
  	}
  
! 	if (IsA(node, Query))
! 	{
! 		/*
! 		 * Recurse into sublink subqueries. This should only be possible in
! 		 * security barrier quals of top-level RTEs. All other sublinks should
! 		 * have already been converted to subplans during expression
! 		 * preprocessing, but this doesn't happen for security barrier quals,
! 		 * since they are destined to become quals of a subquery RTE, which
! 		 * will be recursively planned, and so should not be preprocessed at
! 		 * this stage.
! 		 */
! 		Query	   *newnode;
! 
! 		context->sublevels_up++;
! 		newnode = query_tree_mutator((Query *) node,
! 									 adjust_appendrel_attrs_mutator,
! 									 (void *) context, 0);
! 		context->sublevels_up--;
! 		return (Node *) newnode;
! 	}
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
new file mode 100644
index 0b13645..370b5aa
*** a/src/backend/rewrite/rewriteHandler.c
--- b/src/backend/rewrite/rewriteHandler.c
*************** view_col_is_auto_updatable(RangeTblRef *
*** 1973,1980 ****
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
! 							 bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
--- 1973,1979 ----
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
*************** view_query_is_auto_updatable(Query *view
*** 2048,2061 ****
  		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
  
  	/*
- 	 * For now, we also don't support security-barrier views, because of the
- 	 * difficulty of keeping upper-level qual expressions away from
- 	 * lower-level data.  This might get relaxed in the future.
- 	 */
- 	if (security_barrier)
- 		return gettext_noop("Security-barrier views are not automatically updatable.");
- 
- 	/*
  	 * The view query should select from a single base relation, which must be
  	 * a table or another view.
  	 */
--- 2047,2052 ----
*************** relation_is_updatable(Oid reloid,
*** 2303,2311 ****
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery,
! 										 RelationIsSecurityView(rel),
! 										 false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
--- 2294,2300 ----
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery, false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
*************** rewriteTargetView(Query *parsetree, Rela
*** 2460,2466 ****
  
  	auto_update_detail =
  		view_query_is_auto_updatable(viewquery,
- 									 RelationIsSecurityView(view),
  									 parsetree->commandType != CMD_DELETE);
  
  	if (auto_update_detail)
--- 2449,2454 ----
*************** rewriteTargetView(Query *parsetree, Rela
*** 2664,2669 ****
--- 2652,2665 ----
  												   view_targetlist);
  
  	/*
+ 	 * Move any security barrier quals from the view RTE onto the new target
+ 	 * RTE.  Any such quals should now apply to the new target RTE and will not
+ 	 * reference the original view RTE in the rewritten query.
+ 	 */
+ 	new_rte->securityQuals = view_rte->securityQuals;
+ 	view_rte->securityQuals = NIL;
+ 
+ 	/*
  	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
  	 * TLE for the view to the end of the targetlist, which we no longer need.
  	 * Remove it to avoid unnecessary work when we process the targetlist.
*************** rewriteTargetView(Query *parsetree, Rela
*** 2743,2748 ****
--- 2739,2748 ----
  	 * only adjust their varnos to reference the new target (just the same as
  	 * we did with the view targetlist).
  	 *
+ 	 * Note that there is special-case handling for the quals of a security
+ 	 * barrier view, since they need to be kept separate from any user-supplied
+ 	 * quals, so these quals are kept on the new target RTE.
+ 	 *
  	 * For INSERT, the view's quals can be ignored in the main query.
  	 */
  	if (parsetree->commandType != CMD_INSERT &&
*************** rewriteTargetView(Query *parsetree, Rela
*** 2751,2757 ****
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 		AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
--- 2751,2775 ----
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 
! 		if (RelationIsSecurityView(view))
! 		{
! 			/*
! 			 * Note: the parsetree has been mutated, so the new_rte pointer is
! 			 * stale and needs to be re-computed.
! 			 */
! 			new_rte = rt_fetch(new_rt_index, parsetree->rtable);
! 			new_rte->securityQuals = lcons(viewqual, new_rte->securityQuals);
! 
! 			/*
! 			 * Make sure that the query is marked correctly if the added qual
! 			 * has sublinks.
! 			 */
! 			if (!parsetree->hasSubLinks)
! 				parsetree->hasSubLinks = checkExprHasSubLink(viewqual);
! 		}
! 		else
! 			AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
*************** rewriteTargetView(Query *parsetree, Rela
*** 2813,2821 ****
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added to the
! 				 * query's WHERE clause, and AddQual will have already done
! 				 * this check.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
--- 2831,2838 ----
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added, and this
! 				 * check will already have been done.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
new file mode 100644
index 9a3a5d7..9cdef61
*** a/src/include/nodes/parsenodes.h
--- b/src/include/nodes/parsenodes.h
*************** typedef struct RangeTblEntry
*** 801,806 ****
--- 801,807 ----
  	Oid			checkAsUser;	/* if valid, check access as this role */
  	Bitmapset  *selectedCols;	/* columns needing SELECT permission */
  	Bitmapset  *modifiedCols;	/* columns needing INSERT/UPDATE permission */
+ 	List	   *securityQuals;	/* any security barrier quals to apply */
  } RangeTblEntry;
  
  /*
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
new file mode 100644
index 0f5a7d3..f5fc7e8
*** a/src/include/optimizer/prep.h
--- b/src/include/optimizer/prep.h
*************** extern Node *negate_clause(Node *node);
*** 36,41 ****
--- 36,46 ----
  extern Expr *canonicalize_qual(Expr *qual);
  
  /*
+  * prototypes for prepsecurity.c
+  */
+ extern void expand_security_quals(PlannerInfo *root, List *tlist);
+ 
+ /*
   * prototypes for preptlist.c
   */
  extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
new file mode 100644
index e4027bd..8da0af5
*** a/src/include/rewrite/rewriteHandler.h
--- b/src/include/rewrite/rewriteHandler.h
*************** extern void AcquireRewriteLocks(Query *p
*** 23,29 ****
  extern Node *build_column_default(Relation rel, int attrno);
  extern Query *get_view_query(Relation view);
  extern const char *view_query_is_auto_updatable(Query *viewquery,
- 										 bool security_barrier,
  										 bool check_cols);
  extern int	relation_is_updatable(Oid reloid,
  						  bool include_triggers,
--- 23,28 ----
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
new file mode 100644
index 91d1639..f6db582
*** a/src/test/regress/expected/create_view.out
--- b/src/test/regress/expected/create_view.out
*************** CREATE VIEW mysecview4 WITH (security_ba
*** 252,258 ****
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  security_barrier requires a Boolean value
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
--- 252,258 ----
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  invalid value for boolean option "security_barrier": 100
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
new file mode 100644
index 99c9165..d12d384
*** a/src/test/regress/expected/updatable_views.out
--- b/src/test/regress/expected/updatable_views.out
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 22,33 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
--- 22,31 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
*************** SELECT table_name, is_insertable_into
*** 44,50 ****
   ro_view19  | NO
   ro_view2   | NO
   ro_view20  | NO
-  ro_view21  | NO
   ro_view3   | NO
   ro_view4   | NO
   ro_view5   | NO
--- 42,47 ----
*************** SELECT table_name, is_insertable_into
*** 55,61 ****
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (21 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
--- 52,58 ----
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (20 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
*************** SELECT table_name, is_updatable, is_inse
*** 73,79 ****
   ro_view19  | NO           | NO
   ro_view2   | NO           | NO
   ro_view20  | NO           | NO
-  ro_view21  | NO           | NO
   ro_view3   | NO           | NO
   ro_view4   | NO           | NO
   ro_view5   | NO           | NO
--- 70,75 ----
*************** SELECT table_name, is_updatable, is_inse
*** 84,90 ****
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (21 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
--- 80,86 ----
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (20 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
*************** SELECT table_name, column_name, is_updat
*** 103,125 ****
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view18  | b             | NO
!  ro_view19  | a             | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | sequence_name | NO
!  ro_view20  | last_value    | NO
!  ro_view20  | start_value   | NO
!  ro_view20  | increment_by  | NO
!  ro_view20  | max_value     | NO
!  ro_view20  | min_value     | NO
!  ro_view20  | cache_value   | NO
!  ro_view20  | log_cnt       | NO
!  ro_view20  | is_cycled     | NO
!  ro_view20  | is_called     | NO
!  ro_view21  | a             | NO
!  ro_view21  | b             | NO
!  ro_view21  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
--- 99,119 ----
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view19  | sequence_name | NO
!  ro_view19  | last_value    | NO
!  ro_view19  | start_value   | NO
!  ro_view19  | increment_by  | NO
!  ro_view19  | max_value     | NO
!  ro_view19  | min_value     | NO
!  ro_view19  | cache_value   | NO
!  ro_view19  | log_cnt       | NO
!  ro_view19  | is_cycled     | NO
!  ro_view19  | is_called     | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | a             | NO
!  ro_view20  | b             | NO
!  ro_view20  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
*************** SELECT table_name, column_name, is_updat
*** 140,146 ****
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (48 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
--- 134,140 ----
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (46 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
*************** INSERT INTO ro_view17 VALUES (3, 'ROW 3'
*** 268,291 ****
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! ERROR:  cannot insert into view "ro_view18"
! DETAIL:  Security-barrier views are not automatically updatable.
! HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view19;
! ERROR:  cannot delete from view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view20 SET max_value=1000;
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view21 SET b=upper(b);
! ERROR:  cannot update view "ro_view21"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 17 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
--- 262,281 ----
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view18;
! ERROR:  cannot delete from view "ro_view18"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view19 SET max_value=1000;
! ERROR:  cannot update view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view20 SET b=upper(b);
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 16 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
*************** drop cascades to view ro_view11
*** 299,311 ****
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view18
! drop cascades to view ro_view21
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view20
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
--- 289,300 ----
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view20
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view19
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
*************** INSERT INTO rw_view2 VALUES (2,3); -- ok
*** 1739,1742 ****
--- 1728,1923 ----
  DROP TABLE base_tbl CASCADE;
  NOTICE:  drop cascades to 2 other objects
  DETAIL:  drop cascades to view rw_view1
+ drop cascades to view rw_view2
+ -- security barrier view
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view1   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view1   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view1   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+                   QUERY PLAN                   
+ -----------------------------------------------
+  Subquery Scan on rw_view1
+    Filter: snoop(rw_view1.person)
+    ->  Seq Scan on base_tbl
+          Filter: (visibility = 'public'::text)
+ (4 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ -- security barrier view on top of security barrier view
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view2   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view2   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view2   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Subquery Scan on rw_view2
+    Filter: snoop(rw_view2.person)
+    ->  Subquery Scan on rw_view1
+          Filter: snoop(rw_view1.person)
+          ->  Seq Scan on base_tbl
+                Filter: (visibility = 'public'::text)
+ (6 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to 2 other objects
+ DETAIL:  drop cascades to view rw_view1
  drop cascades to view rw_view2
diff --git a/src/test/regress/sql/updatable_views.sql b/src/test/regress/sql/updatable_views.sql
new file mode 100644
index a77cf19..6b352c1
*** a/src/test/regress/sql/updatable_views.sql
--- b/src/test/regress/sql/updatable_views.sql
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 25,36 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
--- 25,34 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
*************** SELECT * FROM base_tbl;
*** 87,99 ****
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! DELETE FROM ro_view19;
! UPDATE ro_view20 SET max_value=1000;
! UPDATE ro_view21 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
--- 85,96 ----
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! DELETE FROM ro_view18;
! UPDATE ro_view19 SET max_value=1000;
! UPDATE ro_view20 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
*************** CREATE VIEW rw_view2 AS
*** 828,830 ****
--- 825,902 ----
    SELECT * FROM rw_view1 WHERE a > b WITH LOCAL CHECK OPTION;
  INSERT INTO rw_view2 VALUES (2,3); -- ok, but not in view (doesn't fail rw_view2's check)
  DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view
+ 
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ 
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ 
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ -- security barrier view on top of security barrier view
+ 
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ DROP TABLE base_tbl CASCADE;

diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml
new file mode 100644
index e0fbe1e..888410f
*** a/doc/src/sgml/ref/create_view.sgml
--- b/doc/src/sgml/ref/create_view.sgml
*************** CREATE VIEW vista AS SELECT text 'Hello
*** 323,334 ****
         or set-returning functions.
        </para>
       </listitem>
- 
-      <listitem>
-       <para>
-        The view must not have the <literal>security_barrier</> property.
-       </para>
-      </listitem>
      </itemizedlist>
     </para>
  
--- 323,328 ----
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
new file mode 100644
index 26a4613..6add0e3
*** a/src/backend/commands/tablecmds.c
--- b/src/backend/commands/tablecmds.c
*************** ATExecSetRelOptions(Relation rel, List *
*** 8811,8817 ****
  		List	   *view_options = untransformRelOptions(newOptions);
  		ListCell   *cell;
  		bool		check_option = false;
- 		bool		security_barrier = false;
  
  		foreach(cell, view_options)
  		{
--- 8811,8816 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8819,8826 ****
  
  			if (pg_strcasecmp(defel->defname, "check_option") == 0)
  				check_option = true;
- 			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 				security_barrier = defGetBoolean(defel);
  		}
  
  		/*
--- 8818,8823 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8830,8837 ****
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query,
! 											 security_barrier, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
--- 8827,8833 ----
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
new file mode 100644
index 1735762..bc08566
*** a/src/backend/commands/view.c
--- b/src/backend/commands/view.c
*************** DefineView(ViewStmt *stmt, const char *q
*** 396,402 ****
  	RangeVar   *view;
  	ListCell   *cell;
  	bool		check_option;
- 	bool		security_barrier;
  
  	/*
  	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
--- 396,401 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 451,457 ****
  	 * specified.
  	 */
  	check_option = false;
- 	security_barrier = false;
  
  	foreach(cell, stmt->options)
  	{
--- 450,455 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 459,466 ****
  
  		if (pg_strcasecmp(defel->defname, "check_option") == 0)
  			check_option = true;
- 		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 			security_barrier = defGetBoolean(defel);
  	}
  
  	/*
--- 457,462 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 470,476 ****
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, security_barrier, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
--- 466,472 ----
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
new file mode 100644
index bb356d0..1e49a71
*** a/src/backend/nodes/copyfuncs.c
--- b/src/backend/nodes/copyfuncs.c
*************** _copyRangeTblEntry(const RangeTblEntry *
*** 1998,2003 ****
--- 1998,2004 ----
  	COPY_SCALAR_FIELD(checkAsUser);
  	COPY_BITMAPSET_FIELD(selectedCols);
  	COPY_BITMAPSET_FIELD(modifiedCols);
+ 	COPY_NODE_FIELD(securityQuals);
  
  	return newnode;
  }
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
new file mode 100644
index 5908d9a..ab055d5
*** a/src/backend/nodes/equalfuncs.c
--- b/src/backend/nodes/equalfuncs.c
*************** _equalRangeTblEntry(const RangeTblEntry
*** 2290,2295 ****
--- 2290,2296 ----
  	COMPARE_SCALAR_FIELD(checkAsUser);
  	COMPARE_BITMAPSET_FIELD(selectedCols);
  	COMPARE_BITMAPSET_FIELD(modifiedCols);
+ 	COMPARE_NODE_FIELD(securityQuals);
  
  	return true;
  }
diff --git a/src/backend/nodes/nodeFuncs.c b/src/backend/nodes/nodeFuncs.c
new file mode 100644
index 123f2a6..1e48a7f
*** a/src/backend/nodes/nodeFuncs.c
--- b/src/backend/nodes/nodeFuncs.c
*************** range_table_walker(List *rtable,
*** 2020,2025 ****
--- 2020,2028 ----
  					return true;
  				break;
  		}
+ 
+ 		if (walker(rte->securityQuals, context))
+ 			return true;
  	}
  	return false;
  }
*************** range_table_mutator(List *rtable,
*** 2755,2760 ****
--- 2758,2764 ----
  				MUTATE(newrte->values_lists, rte->values_lists, List *);
  				break;
  		}
+ 		MUTATE(newrte->securityQuals, rte->securityQuals, List *);
  		newrt = lappend(newrt, newrte);
  	}
  	return newrt;
diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c
new file mode 100644
index 568c3b8..a0e3286
*** a/src/backend/nodes/outfuncs.c
--- b/src/backend/nodes/outfuncs.c
*************** _outRangeTblEntry(StringInfo str, const
*** 2409,2414 ****
--- 2409,2415 ----
  	WRITE_OID_FIELD(checkAsUser);
  	WRITE_BITMAPSET_FIELD(selectedCols);
  	WRITE_BITMAPSET_FIELD(modifiedCols);
+ 	WRITE_NODE_FIELD(securityQuals);
  }
  
  static void
diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c
new file mode 100644
index c22acd5..1e9baf5
*** a/src/backend/nodes/readfuncs.c
--- b/src/backend/nodes/readfuncs.c
*************** _readRangeTblEntry(void)
*** 1252,1257 ****
--- 1252,1258 ----
  	READ_OID_FIELD(checkAsUser);
  	READ_BITMAPSET_FIELD(selectedCols);
  	READ_BITMAPSET_FIELD(modifiedCols);
+ 	READ_NODE_FIELD(securityQuals);
  
  	READ_DONE();
  }
diff --git a/src/backend/optimizer/plan/planner.c b/src/backend/optimizer/plan/planner.c
new file mode 100644
index 35bda67..a1498ba
*** a/src/backend/optimizer/plan/planner.c
--- b/src/backend/optimizer/plan/planner.c
*************** inheritance_planner(PlannerInfo *root)
*** 916,921 ****
--- 916,927 ----
  		subplan = grouping_planner(&subroot, 0.0 /* retrieve all tuples */ );
  
  		/*
+ 		 * Planning may have modified the query result relation (if there
+ 		 * were security barrier quals on the result RTE).
+ 		 */
+ 		appinfo->child_relid = subroot.parse->resultRelation;
+ 
+ 		/*
  		 * If this child rel was excluded by constraint exclusion, exclude it
  		 * from the result plan.
  		 */
*************** inheritance_planner(PlannerInfo *root)
*** 932,940 ****
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 			final_rtable = list_concat(final_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
--- 938,969 ----
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 		{
! 			List	   *tmp_rtable = NIL;
! 			ListCell   *cell1, *cell2;
! 
! 			/*
! 			 * Planning this new child may have turned some of the original
! 			 * RTEs into subqueries (if they had security barrier quals). If
! 			 * so, we want to use these in the final rtable.
! 			 */
! 			forboth(cell1, final_rtable, cell2, subroot.parse->rtable)
! 			{
! 				RangeTblEntry *rte1 = (RangeTblEntry *) lfirst(cell1);
! 				RangeTblEntry *rte2 = (RangeTblEntry *) lfirst(cell2);
! 
! 				if (rte1->rtekind == RTE_RELATION &&
! 					rte1->securityQuals != NIL &&
! 					rte2->rtekind == RTE_SUBQUERY)
! 					tmp_rtable = lappend(tmp_rtable, rte2);
! 				else
! 					tmp_rtable = lappend(tmp_rtable, rte1);
! 			}
! 
! 			final_rtable = list_concat(tmp_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
+ 		}
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
*************** grouping_planner(PlannerInfo *root, doub
*** 1163,1168 ****
--- 1192,1203 ----
  		tlist = preprocess_targetlist(root, tlist);
  
  		/*
+ 		 * Expand any rangetable entries that have security barrier quals.
+ 		 * This may add new security barrier subquery RTEs to the rangetable.
+ 		 */
+ 		expand_security_quals(root, tlist);
+ 
+ 		/*
  		 * Locate any window functions in the tlist.  (We don't need to look
  		 * anywhere else, since expressions used in ORDER BY will be in there
  		 * too.)  Note that they could all have been eliminated by constant
*************** preprocess_rowmarks(PlannerInfo *root)
*** 2150,2158 ****
  		 * Ignore RowMarkClauses for subqueries; they aren't real tables and
  		 * can't support true locking.  Subqueries that got flattened into the
  		 * main query should be ignored completely.  Any that didn't will get
! 		 * ROW_MARK_COPY items in the next loop.
  		 */
! 		if (rte->rtekind != RTE_RELATION)
  			continue;
  
  		/*
--- 2185,2195 ----
  		 * Ignore RowMarkClauses for subqueries; they aren't real tables and
  		 * can't support true locking.  Subqueries that got flattened into the
  		 * main query should be ignored completely.  Any that didn't will get
! 		 * ROW_MARK_COPY items in the next loop.  Relations with security
! 		 * barrier quals will be later expanded into subqueries, so we treat
! 		 * them as such here too.
  		 */
! 		if (rte->rtekind != RTE_RELATION || rte->securityQuals != NIL)
  			continue;
  
  		/*
*************** preprocess_rowmarks(PlannerInfo *root)
*** 2208,2214 ****
  		newrc->rowmarkId = ++(root->glob->lastRowMarkId);
  		/* real tables support REFERENCE, anything else needs COPY */
  		if (rte->rtekind == RTE_RELATION &&
! 			rte->relkind != RELKIND_FOREIGN_TABLE)
  			newrc->markType = ROW_MARK_REFERENCE;
  		else
  			newrc->markType = ROW_MARK_COPY;
--- 2245,2252 ----
  		newrc->rowmarkId = ++(root->glob->lastRowMarkId);
  		/* real tables support REFERENCE, anything else needs COPY */
  		if (rte->rtekind == RTE_RELATION &&
! 			rte->relkind != RELKIND_FOREIGN_TABLE &&
! 			rte->securityQuals == NIL)
  			newrc->markType = ROW_MARK_REFERENCE;
  		else
  			newrc->markType = ROW_MARK_COPY;
diff --git a/src/backend/optimizer/prep/Makefile b/src/backend/optimizer/prep/Makefile
new file mode 100644
index 86301bf..5195d9b
*** a/src/backend/optimizer/prep/Makefile
--- b/src/backend/optimizer/prep/Makefile
*************** subdir = src/backend/optimizer/prep
*** 12,17 ****
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
--- 12,17 ----
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o prepsecurity.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
new file mode 100644
index ...e7a3f56
*** a/src/backend/optimizer/prep/prepsecurity.c
--- b/src/backend/optimizer/prep/prepsecurity.c
***************
*** 0 ****
--- 1,423 ----
+ /*-------------------------------------------------------------------------
+  *
+  * prepsecurity.c
+  *	  Routines for preprocessing security barrier quals.
+  *
+  * Portions Copyright (c) 1996-2013, PostgreSQL Global Development Group
+  * Portions Copyright (c) 1994, Regents of the University of California
+  *
+  *
+  * IDENTIFICATION
+  *	  src/backend/optimizer/prep/prepsecurity.c
+  *
+  *-------------------------------------------------------------------------
+  */
+ #include "postgres.h"
+ 
+ #include "access/heapam.h"
+ #include "access/sysattr.h"
+ #include "catalog/heap.h"
+ #include "nodes/makefuncs.h"
+ #include "nodes/nodeFuncs.h"
+ #include "optimizer/prep.h"
+ #include "parser/parsetree.h"
+ #include "rewrite/rewriteManip.h"
+ #include "utils/rel.h"
+ 
+ 
+ typedef struct
+ {
+ 	int			rt_index;		/* Index of security barrier RTE */
+ 	int			sublevels_up;	/* Current nesting depth */
+ 	Relation	rel;			/* RTE relation at rt_index */
+ 	List	   *targetlist;		/* Targetlist for new subquery RTE */
+ 	List	   *colnames;		/* Column names in subquery RTE */
+ 	List	   *vars_processed;	/* List of Vars already processed */
+ } security_barrier_replace_vars_context;
+ 
+ static void expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual);
+ 
+ static void security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context);
+ 
+ static bool security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context);
+ 
+ 
+ /*
+  * expand_security_quals -
+  *	  expands any security barrier quals on RTEs in the query rtable, turning
+  *	  them into security barrier subqueries.
+  *
+  * Any given RTE may have multiple security barrier quals in a list, from which
+  * we create a set of nested subqueries to isolate each security barrier from
+  * the others, providing protection against malicious user-defined security
+  * barriers.  The first security barrier qual in the list will be used in the
+  * innermost subquery.
+  */
+ void
+ expand_security_quals(PlannerInfo *root, List *tlist)
+ {
+ 	Query	   *parse = root->parse;
+ 	int			rt_index;
+ 
+ 	/*
+ 	 * Process each RTE in the rtable list.
+ 	 *
+ 	 * Note that this is deliberately not a foreach loop, since the rtable may
+ 	 * be modified each time through the loop.
+ 	 */
+ 	rt_index = 0;
+ 	while (rt_index < list_length(parse->rtable))
+ 	{
+ 		RangeTblEntry *rte;
+ 
+ 		rt_index++;
+ 		rte = rt_fetch(rt_index, parse->rtable);
+ 
+ 		if (rte->securityQuals == NIL)
+ 			continue;
+ 
+ 		/*
+ 		 * Ignore any RTEs that aren't used in the query (such RTEs may be
+ 		 * present for permissions checks).
+ 		 */
+ 		if (rt_index != parse->resultRelation &&
+ 			!rangeTableEntry_used((Node *) parse, rt_index, 0))
+ 			continue;
+ 
+ 		/*
+ 		 * If this RTE is the target then we need to make a copy of it before
+ 		 * expanding it.  The unexpanded copy will become the new target, and
+ 		 * the original RTE will be expanded to become the source of rows to
+ 		 * update/delete.
+ 		 */
+ 		if (rt_index == parse->resultRelation)
+ 		{
+ 			RangeTblEntry *newrte = copyObject(rte);
+ 			parse->rtable = lappend(parse->rtable, newrte);
+ 			parse->resultRelation = list_length(parse->rtable);
+ 
+ 			/*
+ 			 * Wipe out any copied security barrier quals on the new target to
+ 			 * prevent infinite recursion.
+ 			 */
+ 			newrte->securityQuals = NIL;
+ 
+ 			/*
+ 			 * There's no need to do permissions checks twice, so wipe out the
+ 			 * permissions info for the original RTE (we prefer to keep the
+ 			 * bits set on the result RTE).
+ 			 */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * For the most part, Vars referencing the original relation should
+ 			 * remain as they are, meaning that they pull OLD values from the
+ 			 * expanded RTE.  But in the RETURNING list and in any WITH CHECK
+ 			 * OPTION quals, we want such Vars to represent NEW values, so
+ 			 * change them to reference the new RTE.
+ 			 */
+ 			ChangeVarNodes((Node *) parse->returningList, rt_index,
+ 						   parse->resultRelation, 0);
+ 
+ 			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
+ 						   parse->resultRelation, 0);
+ 		}
+ 
+ 		/*
+ 		 * Process each security barrier qual in turn, starting with the
+ 		 * innermost one (the first in the list) and working outwards.
+ 		 *
+ 		 * We remove each qual from the list before processing it, so that its
+ 		 * variables aren't modified by expand_security_qual.  Also we don't
+ 		 * necessarily want the attributes referred to by the qual to be
+ 		 * exposed by the newly built subquery.
+ 		 */
+ 		while (rte->securityQuals != NIL)
+ 		{
+ 			Node   *qual = (Node *) linitial(rte->securityQuals);
+ 			rte->securityQuals = list_delete_first(rte->securityQuals);
+ 
+ 			ChangeVarNodes(qual, rt_index, 1, 0);
+ 			expand_security_qual(parse, tlist, rt_index, qual);
+ 		}
+ 	}
+ }
+ 
+ 
+ /*
+  * expand_security_qual -
+  *	  expand the specified security barrier qual on a query RTE, turning the
+  *	  RTE into a security barrier subquery.
+  */
+ static void
+ expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual)
+ {
+ 	RangeTblEntry  *rte;
+ 	Oid				relid;
+ 	Query		   *subquery;
+ 	RangeTblEntry  *subrte;
+ 	RangeTblRef	   *subrtr;
+ 	security_barrier_replace_vars_context context;
+ 	ListCell	   *cell;
+ 
+ 	rte = rt_fetch(rt_index, parse->rtable);
+ 	relid = rte->relid;
+ 
+ 	/*
+ 	 * There should only be 2 possible cases:
+ 	 *
+ 	 * 1. A relation RTE, which we turn into a subquery RTE containing all
+ 	 * referenced columns.
+ 	 *
+ 	 * 2. A subquery RTE (either from a prior call to this function or from an
+ 	 * expanded view).  In this case we build a new subquery on top of it to
+ 	 * isolate this security barrier qual from any other quals.
+ 	 */
+ 	switch (rte->rtekind)
+ 	{
+ 		case RTE_RELATION:
+ 			/*
+ 			 * Turn the relation RTE into a security barrier subquery RTE,
+ 			 * moving all permissions checks down into the subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 
+ 			subrte = copyObject(rte);
+ 			subrte->inFromCl = true;
+ 			subrte->securityQuals = NIL;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->rtekind = RTE_SUBQUERY;
+ 			rte->relid = InvalidOid;
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 			rte->inh = false;			/* must not be set for a subquery */
+ 
+ 			/* the permissions checks have now been moved down */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * Replace any variables in the outer query that refer to the
+ 			 * original relation RTE with references to columns that we will
+ 			 * expose in the new subquery, building the subquery's targetlist
+ 			 * as we go.
+ 			 */
+ 			context.rt_index = rt_index;
+ 			context.sublevels_up = 0;
+ 			context.rel = heap_open(relid, NoLock);
+ 			context.targetlist = NIL;
+ 			context.colnames = NIL;
+ 			context.vars_processed = NIL;
+ 
+ 			security_barrier_replace_vars((Node *) parse, &context);
+ 			security_barrier_replace_vars((Node *) tlist, &context);
+ 
+ 			heap_close(context.rel, NoLock);
+ 
+ 			/* Now we know what columns the subquery needs to expose */
+ 			rte->subquery->targetList = context.targetlist;
+ 			rte->eref = makeAlias(rte->eref->aliasname, context.colnames);
+ 
+ 			break;
+ 
+ 		case RTE_SUBQUERY:
+ 			/*
+ 			 * Build a new subquery that includes all the same columns as the
+ 			 * original subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 			subquery->targetList = NIL;
+ 
+ 			foreach(cell, rte->subquery->targetList)
+ 			{
+ 				TargetEntry	   *tle;
+ 				Var			   *var;
+ 
+ 				tle = (TargetEntry *) lfirst(cell);
+ 				var = makeVarFromTargetEntry(1, tle);
+ 
+ 				tle = makeTargetEntry((Expr *) var,
+ 									  list_length(subquery->targetList) + 1,
+ 									  pstrdup(tle->resname),
+ 									  tle->resjunk);
+ 				subquery->targetList = lappend(subquery->targetList, tle);
+ 			}
+ 
+ 			subrte = makeNode(RangeTblEntry);
+ 			subrte->rtekind = RTE_SUBQUERY;
+ 			subrte->subquery = rte->subquery;
+ 			subrte->security_barrier = rte->security_barrier;
+ 			subrte->eref = copyObject(rte->eref);
+ 			subrte->inFromCl = true;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 
+ 			break;
+ 
+ 		default:
+ 			elog(ERROR, "invalid range table entry for security barrier qual");
+ 	}
+ }
+ 
+ 
+ /*
+  * security_barrier_replace_vars -
+  *	  Apply security barrier variable replacement to an expression tree.
+  *
+  * This also builds/updates a targetlist with entries for each replacement
+  * variable that needs to be exposed by the security barrier subquery RTE.
+  *
+  * NOTE: although this has the form of a walker, we cheat and modify the
+  * nodes in-place.	The given expression tree should have been copied
+  * earlier to ensure that no unwanted side-effects occur!
+  */
+ static void
+ security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context)
+ {
+ 	/*
+ 	 * Must be prepared to start with a Query or a bare expression tree; if
+ 	 * it's a Query, go straight to query_tree_walker to make sure that
+ 	 * sublevels_up doesn't get incremented prematurely.
+ 	 */
+ 	if (node && IsA(node, Query))
+ 		query_tree_walker((Query *) node,
+ 						  security_barrier_replace_vars_walker,
+ 						  (void *) context, 0);
+ 	else
+ 		security_barrier_replace_vars_walker(node, context);
+ }
+ 
+ static bool
+ security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context)
+ {
+ 	if (node == NULL)
+ 		return false;
+ 	if (IsA(node, Var))
+ 	{
+ 		Var		   *var = (Var *) node;
+ 
+ 		/*
+ 		 * Note that the same Var may be present in different lists, so we
+ 		 * need to take care not to process it multiple times.
+ 		 */
+ 		if (var->varno == context->rt_index &&
+ 			var->varlevelsup == context->sublevels_up &&
+ 			!list_member_ptr(context->vars_processed, var))
+ 		{
+ 			/*
+ 			 * Found a matching variable. Make sure that it is in the subquery
+ 			 * targetlist and map its attno accordingly.
+ 			 */
+ 			AttrNumber	attno;
+ 			ListCell   *l;
+ 			TargetEntry *tle;
+ 			char	   *attname;
+ 			Var		   *newvar;
+ 
+ 			/* Search for the base attribute in the subquery targetlist */
+ 			attno = InvalidAttrNumber;
+ 			foreach(l, context->targetlist)
+ 			{
+ 				tle = (TargetEntry *) lfirst(l);
+ 				attno++;
+ 
+ 				Assert(IsA(tle->expr, Var));
+ 				if (((Var *) tle->expr)->varattno == var->varattno &&
+ 					((Var *) tle->expr)->varcollid == var->varcollid)
+ 				{
+ 					/* Map the variable onto this subquery targetlist entry */
+ 					var->varattno = attno;
+ 					return false;
+ 				}
+ 			}
+ 
+ 			/* Not in the subquery targetlist, so add it. Get its name. */
+ 			if (var->varattno < 0)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = SystemAttributeDefinition(var->varattno,
+ 													context->rel->rd_rel->relhasoids);
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else if (var->varattno == InvalidAttrNumber)
+ 			{
+ 				attname = "wholerow";
+ 			}
+ 			else if (var->varattno <= context->rel->rd_att->natts)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = context->rel->rd_att->attrs[var->varattno - 1];
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else
+ 			{
+ 				elog(ERROR, "invalid attribute number %d in security_barrier_replace_vars", var->varattno);
+ 			}
+ 
+ 			/* New variable for subquery targetlist */
+ 			newvar = copyObject(var);
+ 			newvar->varno = 1;
+ 
+ 			attno = list_length(context->targetlist) + 1;
+ 			tle = makeTargetEntry((Expr *) newvar,
+ 								  attno,
+ 								  pstrdup(attname),
+ 								  false);
+ 
+ 			context->targetlist = lappend(context->targetlist, tle);
+ 
+ 			context->colnames = lappend(context->colnames,
+ 										makeString(pstrdup(attname)));
+ 
+ 			/* Update the outer query's variable */
+ 			var->varattno = attno;
+ 
+ 			/* Remember this Var so that we don't process it again */
+ 			context->vars_processed = lappend(context->vars_processed, var);
+ 		}
+ 		return false;
+ 	}
+ 
+ 	if (IsA(node, Query))
+ 	{
+ 		/* Recurse into subselects */
+ 		bool		result;
+ 
+ 		context->sublevels_up++;
+ 		result = query_tree_walker((Query *) node,
+ 								   security_barrier_replace_vars_walker,
+ 								   (void *) context, 0);
+ 		context->sublevels_up--;
+ 		return result;
+ 	}
+ 	return expression_tree_walker(node, security_barrier_replace_vars_walker,
+ 								  (void *) context);
+ }
diff --git a/src/backend/optimizer/prep/prepunion.c b/src/backend/optimizer/prep/prepunion.c
new file mode 100644
index 52dcc72..c7e0199
*** a/src/backend/optimizer/prep/prepunion.c
--- b/src/backend/optimizer/prep/prepunion.c
*************** typedef struct
*** 55,60 ****
--- 55,61 ----
  {
  	PlannerInfo *root;
  	AppendRelInfo *appinfo;
+ 	int			sublevels_up;
  } adjust_appendrel_attrs_context;
  
  static Plan *recurse_set_operations(Node *setOp, PlannerInfo *root,
*************** translate_col_privs(const Bitmapset *par
*** 1580,1587 ****
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is only applied after conversion of sublinks to subplans,
!  * so we don't need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
--- 1581,1589 ----
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is applied after conversion of sublinks to subplans in the
!  * query jointree, but there may still be sublinks in the security barrier
!  * quals of RTEs, so we do need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
*************** adjust_appendrel_attrs(PlannerInfo *root
*** 1594,1602 ****
  
  	context.root = root;
  	context.appinfo = appinfo;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree.
  	 */
  	if (node && IsA(node, Query))
  	{
--- 1596,1607 ----
  
  	context.root = root;
  	context.appinfo = appinfo;
+ 	context.sublevels_up = 0;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree; if
! 	 * it's a Query, go straight to query_tree_walker to make sure that
! 	 * sublevels_up doesn't get incremented prematurely.
  	 */
  	if (node && IsA(node, Query))
  	{
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1635,1641 ****
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == 0 &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
--- 1640,1646 ----
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == context->sublevels_up &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1652,1657 ****
--- 1657,1663 ----
  				if (newnode == NULL)
  					elog(ERROR, "attribute %d of relation \"%s\" does not exist",
  						 var->varattno, get_rel_name(appinfo->parent_reloid));
+ 				((Var *) newnode)->varlevelsup += context->sublevels_up;
  				return newnode;
  			}
  			else if (var->varattno == 0)
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1694,1703 ****
--- 1700,1715 ----
  					RowExpr    *rowexpr;
  					List	   *fields;
  					RangeTblEntry *rte;
+ 					ListCell   *lc;
  
  					rte = rt_fetch(appinfo->parent_relid,
  								   context->root->parse->rtable);
  					fields = (List *) copyObject(appinfo->translated_vars);
+ 					foreach(lc, fields)
+ 					{
+ 						Var		   *field = (Var *) lfirst(lc);
+ 						field->varlevelsup += context->sublevels_up;
+ 					}
  					rowexpr = makeNode(RowExpr);
  					rowexpr->args = fields;
  					rowexpr->row_typeid = var->vartype;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1716,1722 ****
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
--- 1728,1735 ----
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1724,1730 ****
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
--- 1737,1744 ----
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1737,1743 ****
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
--- 1751,1758 ----
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (context->sublevels_up == 0 &&
! 			j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1750,1756 ****
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == 0)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
--- 1765,1771 ----
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == context->sublevels_up)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1822,1833 ****
  		return (Node *) newinfo;
  	}
  
! 	/*
! 	 * NOTE: we do not need to recurse into sublinks, because they should
! 	 * already have been converted to subplans before we see them.
! 	 */
! 	Assert(!IsA(node, SubLink));
! 	Assert(!IsA(node, Query));
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
--- 1837,1862 ----
  		return (Node *) newinfo;
  	}
  
! 	if (IsA(node, Query))
! 	{
! 		/*
! 		 * Recurse into sublink subqueries. This should only be possible in
! 		 * security barrier quals of top-level RTEs. All other sublinks should
! 		 * have already been converted to subplans during expression
! 		 * preprocessing, but this doesn't happen for security barrier quals,
! 		 * since they are destined to become quals of a subquery RTE, which
! 		 * will be recursively planned, and so should not be preprocessed at
! 		 * this stage.
! 		 */
! 		Query	   *newnode;
! 
! 		context->sublevels_up++;
! 		newnode = query_tree_mutator((Query *) node,
! 									 adjust_appendrel_attrs_mutator,
! 									 (void *) context, 0);
! 		context->sublevels_up--;
! 		return (Node *) newnode;
! 	}
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
new file mode 100644
index 0b13645..370b5aa
*** a/src/backend/rewrite/rewriteHandler.c
--- b/src/backend/rewrite/rewriteHandler.c
*************** view_col_is_auto_updatable(RangeTblRef *
*** 1973,1980 ****
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
! 							 bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
--- 1973,1979 ----
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
*************** view_query_is_auto_updatable(Query *view
*** 2048,2061 ****
  		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
  
  	/*
- 	 * For now, we also don't support security-barrier views, because of the
- 	 * difficulty of keeping upper-level qual expressions away from
- 	 * lower-level data.  This might get relaxed in the future.
- 	 */
- 	if (security_barrier)
- 		return gettext_noop("Security-barrier views are not automatically updatable.");
- 
- 	/*
  	 * The view query should select from a single base relation, which must be
  	 * a table or another view.
  	 */
--- 2047,2052 ----
*************** relation_is_updatable(Oid reloid,
*** 2303,2311 ****
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery,
! 										 RelationIsSecurityView(rel),
! 										 false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
--- 2294,2300 ----
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery, false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
*************** rewriteTargetView(Query *parsetree, Rela
*** 2460,2466 ****
  
  	auto_update_detail =
  		view_query_is_auto_updatable(viewquery,
- 									 RelationIsSecurityView(view),
  									 parsetree->commandType != CMD_DELETE);
  
  	if (auto_update_detail)
--- 2449,2454 ----
*************** rewriteTargetView(Query *parsetree, Rela
*** 2664,2669 ****
--- 2652,2665 ----
  												   view_targetlist);
  
  	/*
+ 	 * Move any security barrier quals from the view RTE onto the new target
+ 	 * RTE.  Any such quals should now apply to the new target RTE and will not
+ 	 * reference the original view RTE in the rewritten query.
+ 	 */
+ 	new_rte->securityQuals = view_rte->securityQuals;
+ 	view_rte->securityQuals = NIL;
+ 
+ 	/*
  	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
  	 * TLE for the view to the end of the targetlist, which we no longer need.
  	 * Remove it to avoid unnecessary work when we process the targetlist.
*************** rewriteTargetView(Query *parsetree, Rela
*** 2743,2748 ****
--- 2739,2748 ----
  	 * only adjust their varnos to reference the new target (just the same as
  	 * we did with the view targetlist).
  	 *
+ 	 * Note that there is special-case handling for the quals of a security
+ 	 * barrier view, since they need to be kept separate from any user-supplied
+ 	 * quals, so these quals are kept on the new target RTE.
+ 	 *
  	 * For INSERT, the view's quals can be ignored in the main query.
  	 */
  	if (parsetree->commandType != CMD_INSERT &&
*************** rewriteTargetView(Query *parsetree, Rela
*** 2751,2757 ****
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 		AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
--- 2751,2775 ----
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 
! 		if (RelationIsSecurityView(view))
! 		{
! 			/*
! 			 * Note: the parsetree has been mutated, so the new_rte pointer is
! 			 * stale and needs to be re-computed.
! 			 */
! 			new_rte = rt_fetch(new_rt_index, parsetree->rtable);
! 			new_rte->securityQuals = lcons(viewqual, new_rte->securityQuals);
! 
! 			/*
! 			 * Make sure that the query is marked correctly if the added qual
! 			 * has sublinks.
! 			 */
! 			if (!parsetree->hasSubLinks)
! 				parsetree->hasSubLinks = checkExprHasSubLink(viewqual);
! 		}
! 		else
! 			AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
*************** rewriteTargetView(Query *parsetree, Rela
*** 2813,2821 ****
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added to the
! 				 * query's WHERE clause, and AddQual will have already done
! 				 * this check.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
--- 2831,2838 ----
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added, and this
! 				 * check will already have been done.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
new file mode 100644
index 846c31a..a197a86
*** a/src/include/nodes/parsenodes.h
--- b/src/include/nodes/parsenodes.h
*************** typedef struct RangeTblEntry
*** 801,806 ****
--- 801,807 ----
  	Oid			checkAsUser;	/* if valid, check access as this role */
  	Bitmapset  *selectedCols;	/* columns needing SELECT permission */
  	Bitmapset  *modifiedCols;	/* columns needing INSERT/UPDATE permission */
+ 	List	   *securityQuals;	/* any security barrier quals to apply */
  } RangeTblEntry;
  
  /*
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
new file mode 100644
index 0f5a7d3..f5fc7e8
*** a/src/include/optimizer/prep.h
--- b/src/include/optimizer/prep.h
*************** extern Node *negate_clause(Node *node);
*** 36,41 ****
--- 36,46 ----
  extern Expr *canonicalize_qual(Expr *qual);
  
  /*
+  * prototypes for prepsecurity.c
+  */
+ extern void expand_security_quals(PlannerInfo *root, List *tlist);
+ 
+ /*
   * prototypes for preptlist.c
   */
  extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
new file mode 100644
index e4027bd..8da0af5
*** a/src/include/rewrite/rewriteHandler.h
--- b/src/include/rewrite/rewriteHandler.h
*************** extern void AcquireRewriteLocks(Query *p
*** 23,29 ****
  extern Node *build_column_default(Relation rel, int attrno);
  extern Query *get_view_query(Relation view);
  extern const char *view_query_is_auto_updatable(Query *viewquery,
- 										 bool security_barrier,
  										 bool check_cols);
  extern int	relation_is_updatable(Oid reloid,
  						  bool include_triggers,
--- 23,28 ----
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
new file mode 100644
index 91d1639..f6db582
*** a/src/test/regress/expected/create_view.out
--- b/src/test/regress/expected/create_view.out
*************** CREATE VIEW mysecview4 WITH (security_ba
*** 252,258 ****
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  security_barrier requires a Boolean value
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
--- 252,258 ----
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  invalid value for boolean option "security_barrier": 100
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
new file mode 100644
index 99c9165..261b0c5
*** a/src/test/regress/expected/updatable_views.out
--- b/src/test/regress/expected/updatable_views.out
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 22,33 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
--- 22,31 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
*************** SELECT table_name, is_insertable_into
*** 44,50 ****
   ro_view19  | NO
   ro_view2   | NO
   ro_view20  | NO
-  ro_view21  | NO
   ro_view3   | NO
   ro_view4   | NO
   ro_view5   | NO
--- 42,47 ----
*************** SELECT table_name, is_insertable_into
*** 55,61 ****
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (21 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
--- 52,58 ----
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (20 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
*************** SELECT table_name, is_updatable, is_inse
*** 73,79 ****
   ro_view19  | NO           | NO
   ro_view2   | NO           | NO
   ro_view20  | NO           | NO
-  ro_view21  | NO           | NO
   ro_view3   | NO           | NO
   ro_view4   | NO           | NO
   ro_view5   | NO           | NO
--- 70,75 ----
*************** SELECT table_name, is_updatable, is_inse
*** 84,90 ****
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (21 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
--- 80,86 ----
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (20 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
*************** SELECT table_name, column_name, is_updat
*** 103,125 ****
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view18  | b             | NO
!  ro_view19  | a             | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | sequence_name | NO
!  ro_view20  | last_value    | NO
!  ro_view20  | start_value   | NO
!  ro_view20  | increment_by  | NO
!  ro_view20  | max_value     | NO
!  ro_view20  | min_value     | NO
!  ro_view20  | cache_value   | NO
!  ro_view20  | log_cnt       | NO
!  ro_view20  | is_cycled     | NO
!  ro_view20  | is_called     | NO
!  ro_view21  | a             | NO
!  ro_view21  | b             | NO
!  ro_view21  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
--- 99,119 ----
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view19  | sequence_name | NO
!  ro_view19  | last_value    | NO
!  ro_view19  | start_value   | NO
!  ro_view19  | increment_by  | NO
!  ro_view19  | max_value     | NO
!  ro_view19  | min_value     | NO
!  ro_view19  | cache_value   | NO
!  ro_view19  | log_cnt       | NO
!  ro_view19  | is_cycled     | NO
!  ro_view19  | is_called     | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | a             | NO
!  ro_view20  | b             | NO
!  ro_view20  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
*************** SELECT table_name, column_name, is_updat
*** 140,146 ****
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (48 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
--- 134,140 ----
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (46 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
*************** INSERT INTO ro_view17 VALUES (3, 'ROW 3'
*** 268,291 ****
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! ERROR:  cannot insert into view "ro_view18"
! DETAIL:  Security-barrier views are not automatically updatable.
! HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view19;
! ERROR:  cannot delete from view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view20 SET max_value=1000;
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view21 SET b=upper(b);
! ERROR:  cannot update view "ro_view21"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 17 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
--- 262,281 ----
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view18;
! ERROR:  cannot delete from view "ro_view18"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view19 SET max_value=1000;
! ERROR:  cannot update view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view20 SET b=upper(b);
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 16 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
*************** drop cascades to view ro_view11
*** 299,311 ****
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view18
! drop cascades to view ro_view21
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view20
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
--- 289,300 ----
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view20
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view19
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
*************** DROP TABLE base_tbl CASCADE;
*** 1740,1742 ****
--- 1729,1987 ----
  NOTICE:  drop cascades to 2 other objects
  DETAIL:  drop cascades to view rw_view1
  drop cascades to view rw_view2
+ -- security barrier view
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view1   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view1   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view1   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+                   QUERY PLAN                   
+ -----------------------------------------------
+  Subquery Scan on rw_view1
+    Filter: snoop(rw_view1.person)
+    ->  Seq Scan on base_tbl
+          Filter: (visibility = 'public'::text)
+ (4 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ -- security barrier view on top of security barrier view
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view2   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view2   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view2   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Subquery Scan on rw_view2
+    Filter: snoop(rw_view2.person)
+    ->  Subquery Scan on rw_view1
+          Filter: snoop(rw_view1.person)
+          ->  Seq Scan on base_tbl
+                Filter: (visibility = 'public'::text)
+ (6 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to 2 other objects
+ DETAIL:  drop cascades to view rw_view1
+ drop cascades to view rw_view2
+ -- security barrier view on top of table with rules
+ CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+ INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+ CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+   WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+   DO INSTEAD
+     UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+ CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+   DO INSTEAD
+     UPDATE base_tbl SET deleted = true WHERE id = old.id;
+ CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+   SELECT id, data FROM base_tbl WHERE NOT deleted;
+ SELECT * FROM rw_view1;
+  id | data  
+ ----+-------
+   1 | Row 1
+ (1 row)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+                                QUERY PLAN                                
+ -------------------------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Nested Loop
+          ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_1
+                Index Cond: (id = 1)
+          ->  Subquery Scan on base_tbl
+                Filter: snoop(base_tbl.data)
+                ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_2
+                      Index Cond: (id = 1)
+                      Filter: (NOT deleted)
+ (9 rows)
+ 
+ DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ NOTICE:  snooped value: Row 1
+ EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Insert on base_tbl
+    InitPlan 1 (returns $0)
+      ->  Index Only Scan using base_tbl_pkey on base_tbl t
+            Index Cond: (id = 2)
+    ->  Result
+          One-Time Filter: ($0 IS NOT TRUE)
+  
+  Update on base_tbl
+    InitPlan 1 (returns $0)
+      ->  Index Only Scan using base_tbl_pkey on base_tbl t
+            Index Cond: (id = 2)
+    ->  Result
+          One-Time Filter: $0
+          ->  Index Scan using base_tbl_pkey on base_tbl
+                Index Cond: (id = 2)
+ (15 rows)
+ 
+ INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ SELECT * FROM base_tbl;
+  id |   data    | deleted 
+ ----+-----------+---------
+   1 | Row 1     | t
+   2 | New row 2 | f
+ (2 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to view rw_view1
diff --git a/src/test/regress/sql/updatable_views.sql b/src/test/regress/sql/updatable_views.sql
new file mode 100644
index a77cf19..08f7504
*** a/src/test/regress/sql/updatable_views.sql
--- b/src/test/regress/sql/updatable_views.sql
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 25,36 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
--- 25,34 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
*************** SELECT * FROM base_tbl;
*** 87,99 ****
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! DELETE FROM ro_view19;
! UPDATE ro_view20 SET max_value=1000;
! UPDATE ro_view21 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
--- 85,96 ----
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! DELETE FROM ro_view18;
! UPDATE ro_view19 SET max_value=1000;
! UPDATE ro_view20 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
*************** CREATE VIEW rw_view2 AS
*** 828,830 ****
--- 825,931 ----
    SELECT * FROM rw_view1 WHERE a > b WITH LOCAL CHECK OPTION;
  INSERT INTO rw_view2 VALUES (2,3); -- ok, but not in view (doesn't fail rw_view2's check)
  DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view
+ 
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ 
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ 
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ -- security barrier view on top of security barrier view
+ 
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view on top of table with rules
+ 
+ CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+ INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+ 
+ CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+   WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+   DO INSTEAD
+     UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+ 
+ CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+   DO INSTEAD
+     UPDATE base_tbl SET deleted = true WHERE id = old.id;
+ 
+ CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+   SELECT id, data FROM base_tbl WHERE NOT deleted;
+ 
+ SELECT * FROM rw_view1;
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ 
+ EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ 
+ SELECT * FROM base_tbl;
+ 
+ DROP TABLE base_tbl CASCADE;

>From 74b25d933ffb3b363cc584f0e85bf050a776cbb4 Mon Sep 17 00:00:00 2001
From: Craig Ringer <craig@2ndquadrant.com>
Date: Thu, 30 Jan 2014 12:15:40 +0800
Subject: [PATCH] (against upd.s.b. views) Updatable s.b. views code needs to
 adjust rowmarks

This oversight was not triggered when using security barrier views directly,
because only security barrier views that were DML targets were collapsed into
securityQuals, and special RowMark handling was already in place for these
during rewriting.
---
 src/backend/optimizer/prep/prepsecurity.c     | 60 +++++++++++++++++++++++----
 src/test/regress/expected/updatable_views.out |  4 +-
 2 files changed, 54 insertions(+), 10 deletions(-)

diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
index ad682bb..7c4ab0b 100644
--- a/src/backend/optimizer/prep/prepsecurity.c
+++ b/src/backend/optimizer/prep/prepsecurity.c
@@ -46,6 +46,9 @@ static void security_barrier_replace_vars(Node *node,
 static bool security_barrier_replace_vars_walker(Node *node,
 									 security_barrier_replace_vars_context *context);
 
+static void change_rowmarks(PlanRowMark *parent, int old_rt_index,
+							int new_rt_index, List *rowMarks);
+
 
 /*
  * expand_security_quals -
@@ -61,8 +64,9 @@ static bool security_barrier_replace_vars_walker(Node *node,
 void
 expand_security_quals(PlannerInfo *root, List *tlist)
 {
-	Query	   *parse = root->parse;
-	int			rt_index;
+	Query	       *parse = root->parse;
+	int				rt_index, new_rt_index;
+	PlanRowMark	   *rowmark;
 
 	/*
 	 * Process each RTE in the rtable list.
@@ -102,16 +106,17 @@ expand_security_quals(PlannerInfo *root, List *tlist)
 			continue;
 
 		/*
-		 * If this RTE is the target then we need to make a copy of it before
-		 * expanding it.  The unexpanded copy will become the new target, and
-		 * the original RTE will be expanded to become the source of rows to
-		 * update/delete.
+		 * If this RTE is the target relation or is the subject of any RowMarks
+		 * then we need to make a copy of it before expanding it.  The
+		 * unexpanded copy will become the new target, and the original RTE
+		 * will be expanded to become the source of rows to update/delete.
 		 */
-		if (rt_index == parse->resultRelation)
+		rowmark = get_plan_rowmark(root->rowMarks, rt_index);
+		if (rt_index == parse->resultRelation || rowmark != NULL )
 		{
 			RangeTblEntry *newrte = copyObject(rte);
 			parse->rtable = lappend(parse->rtable, newrte);
-			parse->resultRelation = list_length(parse->rtable);
+			parse->resultRelation = new_rt_index = list_length(parse->rtable);
 
 			/*
 			 * Wipe out any copied security barrier quals on the new target to
@@ -141,6 +146,14 @@ expand_security_quals(PlannerInfo *root, List *tlist)
 
 			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
 						   parse->resultRelation, 0);
+
+			/*
+			 * The PlanRowMark for this RTI, if present, must also
+			 * point to the underlying RTE_RELATION we copied,
+			 * not to the subquery RTE.
+			 */
+			if (rowmark)
+				change_rowmarks(rowmark, rt_index, new_rt_index, root->rowMarks);
 		}
 
 		/*
@@ -163,6 +176,37 @@ expand_security_quals(PlannerInfo *root, List *tlist)
 	}
 }
 
+/*
+ * When the rangetable entry for a rowmark target is copied and replaced with a
+ * subquery, rowmarks referring to the replaced RTE must be rewritten to point to
+ * its new index.
+ *
+ * Takes the rowmark to adjust ("parent"), the old and new rtis for the RTE we
+ * just copied, and the list of all rowmarks in the plan.
+ */
+static void
+change_rowmarks(PlanRowMark *parent, int old_rt_index,
+				int new_rt_index, List *rowMarks)
+{
+	ListCell	   *lc;
+	PlanRowMark	   *rowmark;
+
+	/* Adjust rti and (if self) prti to point to the copied RTE. */
+	parent->rti = new_rt_index;
+	if (parent->prti == old_rt_index)
+		parent->prti = new_rt_index;
+	/* If this is a parent RowMark, fix up prti on its children. */
+	if (parent->isParent) {
+		foreach (lc, rowMarks)
+		{
+			rowmark = (PlanRowMark*) lfirst(lc);
+			if (rowmark->prti == old_rt_index)
+				rowmark->prti = new_rt_index;
+		}
+	}
+}
+
+
 
 /*
  * expand_security_qual -
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
index 261b0c5..9a34819 100644
--- a/src/test/regress/expected/updatable_views.out
+++ b/src/test/regress/expected/updatable_views.out
@@ -1942,13 +1942,13 @@ SELECT * FROM rw_view1;
 EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
                                QUERY PLAN                                
 -------------------------------------------------------------------------
- Update on base_tbl base_tbl_1
+ Update on base_tbl base_tbl_2
    ->  Nested Loop
          ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_1
                Index Cond: (id = 1)
          ->  Subquery Scan on base_tbl
                Filter: snoop(base_tbl.data)
-               ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_2
+               ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_3
                      Index Cond: (id = 1)
                      Filter: (NOT deleted)
 (9 rows)
-- 
1.8.3.1

>From 855e5cb41058324efebaecf6c77bb70ef993d1fc Mon Sep 17 00:00:00 2001
From: Craig Ringer <craig@2ndquadrant.com>
Date: Fri, 24 Jan 2014 12:02:18 +0800
Subject: [PATCH] Dean Rasheed's RLS patch v3, amended

CAEZATCVAqJV5WTjLmyObP21n+CzhbEx2AOzH4e6qmTcueVDjdQ@mail.gmail.com
plus amendments posted 2014-01-30 by Craig to fix rowmarking

2014-01-23
---
 doc/src/sgml/ref/create_view.sgml             |   6 -
 src/backend/commands/tablecmds.c              |   6 +-
 src/backend/commands/view.c                   |   6 +-
 src/backend/nodes/copyfuncs.c                 |   1 +
 src/backend/nodes/equalfuncs.c                |   1 +
 src/backend/nodes/nodeFuncs.c                 |   4 +
 src/backend/nodes/outfuncs.c                  |   1 +
 src/backend/nodes/readfuncs.c                 |   1 +
 src/backend/optimizer/plan/planner.c          |  46 ++-
 src/backend/optimizer/prep/Makefile           |   2 +-
 src/backend/optimizer/prep/prepsecurity.c     | 467 ++++++++++++++++++++++++++
 src/backend/optimizer/prep/prepunion.c        |  57 +++-
 src/backend/rewrite/rewriteHandler.c          |  53 ++-
 src/include/nodes/parsenodes.h                |   1 +
 src/include/optimizer/prep.h                  |   5 +
 src/include/rewrite/rewriteHandler.h          |   1 -
 src/test/regress/expected/create_view.out     |   2 +-
 src/test/regress/expected/updatable_views.out | 325 +++++++++++++++---
 src/test/regress/sql/updatable_views.sql      | 121 ++++++-
 19 files changed, 1001 insertions(+), 105 deletions(-)
 create mode 100644 src/backend/optimizer/prep/prepsecurity.c

diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml
index e0fbe1e..888410f 100644
--- a/doc/src/sgml/ref/create_view.sgml
+++ b/doc/src/sgml/ref/create_view.sgml
@@ -323,12 +323,6 @@ CREATE VIEW vista AS SELECT text 'Hello World' AS hello;
        or set-returning functions.
       </para>
      </listitem>
-
-     <listitem>
-      <para>
-       The view must not have the <literal>security_barrier</> property.
-      </para>
-     </listitem>
     </itemizedlist>
    </para>
 
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
index 08b037e..b48c8d3 100644
--- a/src/backend/commands/tablecmds.c
+++ b/src/backend/commands/tablecmds.c
@@ -8829,7 +8829,6 @@ ATExecSetRelOptions(Relation rel, List *defList, AlterTableType operation,
 		List	   *view_options = untransformRelOptions(newOptions);
 		ListCell   *cell;
 		bool		check_option = false;
-		bool		security_barrier = false;
 
 		foreach(cell, view_options)
 		{
@@ -8837,8 +8836,6 @@ ATExecSetRelOptions(Relation rel, List *defList, AlterTableType operation,
 
 			if (pg_strcasecmp(defel->defname, "check_option") == 0)
 				check_option = true;
-			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
-				security_barrier = defGetBoolean(defel);
 		}
 
 		/*
@@ -8848,8 +8845,7 @@ ATExecSetRelOptions(Relation rel, List *defList, AlterTableType operation,
 		if (check_option)
 		{
 			const char *view_updatable_error =
-				view_query_is_auto_updatable(view_query,
-											 security_barrier, true);
+				view_query_is_auto_updatable(view_query, true);
 
 			if (view_updatable_error)
 				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
index 1735762..bc08566 100644
--- a/src/backend/commands/view.c
+++ b/src/backend/commands/view.c
@@ -396,7 +396,6 @@ DefineView(ViewStmt *stmt, const char *queryString)
 	RangeVar   *view;
 	ListCell   *cell;
 	bool		check_option;
-	bool		security_barrier;
 
 	/*
 	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
@@ -451,7 +450,6 @@ DefineView(ViewStmt *stmt, const char *queryString)
 	 * specified.
 	 */
 	check_option = false;
-	security_barrier = false;
 
 	foreach(cell, stmt->options)
 	{
@@ -459,8 +457,6 @@ DefineView(ViewStmt *stmt, const char *queryString)
 
 		if (pg_strcasecmp(defel->defname, "check_option") == 0)
 			check_option = true;
-		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
-			security_barrier = defGetBoolean(defel);
 	}
 
 	/*
@@ -470,7 +466,7 @@ DefineView(ViewStmt *stmt, const char *queryString)
 	if (check_option)
 	{
 		const char *view_updatable_error =
-			view_query_is_auto_updatable(viewParse, security_barrier, true);
+			view_query_is_auto_updatable(viewParse, true);
 
 		if (view_updatable_error)
 			ereport(ERROR,
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
index bb356d0..1e49a71 100644
--- a/src/backend/nodes/copyfuncs.c
+++ b/src/backend/nodes/copyfuncs.c
@@ -1998,6 +1998,7 @@ _copyRangeTblEntry(const RangeTblEntry *from)
 	COPY_SCALAR_FIELD(checkAsUser);
 	COPY_BITMAPSET_FIELD(selectedCols);
 	COPY_BITMAPSET_FIELD(modifiedCols);
+	COPY_NODE_FIELD(securityQuals);
 
 	return newnode;
 }
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
index 5908d9a..ab055d5 100644
--- a/src/backend/nodes/equalfuncs.c
+++ b/src/backend/nodes/equalfuncs.c
@@ -2290,6 +2290,7 @@ _equalRangeTblEntry(const RangeTblEntry *a, const RangeTblEntry *b)
 	COMPARE_SCALAR_FIELD(checkAsUser);
 	COMPARE_BITMAPSET_FIELD(selectedCols);
 	COMPARE_BITMAPSET_FIELD(modifiedCols);
+	COMPARE_NODE_FIELD(securityQuals);
 
 	return true;
 }
diff --git a/src/backend/nodes/nodeFuncs.c b/src/backend/nodes/nodeFuncs.c
index 123f2a6..1e48a7f 100644
--- a/src/backend/nodes/nodeFuncs.c
+++ b/src/backend/nodes/nodeFuncs.c
@@ -2020,6 +2020,9 @@ range_table_walker(List *rtable,
 					return true;
 				break;
 		}
+
+		if (walker(rte->securityQuals, context))
+			return true;
 	}
 	return false;
 }
@@ -2755,6 +2758,7 @@ range_table_mutator(List *rtable,
 				MUTATE(newrte->values_lists, rte->values_lists, List *);
 				break;
 		}
+		MUTATE(newrte->securityQuals, rte->securityQuals, List *);
 		newrt = lappend(newrt, newrte);
 	}
 	return newrt;
diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c
index 568c3b8..a0e3286 100644
--- a/src/backend/nodes/outfuncs.c
+++ b/src/backend/nodes/outfuncs.c
@@ -2409,6 +2409,7 @@ _outRangeTblEntry(StringInfo str, const RangeTblEntry *node)
 	WRITE_OID_FIELD(checkAsUser);
 	WRITE_BITMAPSET_FIELD(selectedCols);
 	WRITE_BITMAPSET_FIELD(modifiedCols);
+	WRITE_NODE_FIELD(securityQuals);
 }
 
 static void
diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c
index 216d75e..ef1eae9 100644
--- a/src/backend/nodes/readfuncs.c
+++ b/src/backend/nodes/readfuncs.c
@@ -1252,6 +1252,7 @@ _readRangeTblEntry(void)
 	READ_OID_FIELD(checkAsUser);
 	READ_BITMAPSET_FIELD(selectedCols);
 	READ_BITMAPSET_FIELD(modifiedCols);
+	READ_NODE_FIELD(securityQuals);
 
 	READ_DONE();
 }
diff --git a/src/backend/optimizer/plan/planner.c b/src/backend/optimizer/plan/planner.c
index 35bda67..a1498ba 100644
--- a/src/backend/optimizer/plan/planner.c
+++ b/src/backend/optimizer/plan/planner.c
@@ -916,6 +916,12 @@ inheritance_planner(PlannerInfo *root)
 		subplan = grouping_planner(&subroot, 0.0 /* retrieve all tuples */ );
 
 		/*
+		 * Planning may have modified the query result relation (if there
+		 * were security barrier quals on the result RTE).
+		 */
+		appinfo->child_relid = subroot.parse->resultRelation;
+
+		/*
 		 * If this child rel was excluded by constraint exclusion, exclude it
 		 * from the result plan.
 		 */
@@ -932,9 +938,32 @@ inheritance_planner(PlannerInfo *root)
 		if (final_rtable == NIL)
 			final_rtable = subroot.parse->rtable;
 		else
-			final_rtable = list_concat(final_rtable,
+		{
+			List	   *tmp_rtable = NIL;
+			ListCell   *cell1, *cell2;
+
+			/*
+			 * Planning this new child may have turned some of the original
+			 * RTEs into subqueries (if they had security barrier quals). If
+			 * so, we want to use these in the final rtable.
+			 */
+			forboth(cell1, final_rtable, cell2, subroot.parse->rtable)
+			{
+				RangeTblEntry *rte1 = (RangeTblEntry *) lfirst(cell1);
+				RangeTblEntry *rte2 = (RangeTblEntry *) lfirst(cell2);
+
+				if (rte1->rtekind == RTE_RELATION &&
+					rte1->securityQuals != NIL &&
+					rte2->rtekind == RTE_SUBQUERY)
+					tmp_rtable = lappend(tmp_rtable, rte2);
+				else
+					tmp_rtable = lappend(tmp_rtable, rte1);
+			}
+
+			final_rtable = list_concat(tmp_rtable,
 									   list_copy_tail(subroot.parse->rtable,
 												 list_length(final_rtable)));
+		}
 
 		/*
 		 * We need to collect all the RelOptInfos from all child plans into
@@ -1163,6 +1192,12 @@ grouping_planner(PlannerInfo *root, double tuple_fraction)
 		tlist = preprocess_targetlist(root, tlist);
 
 		/*
+		 * Expand any rangetable entries that have security barrier quals.
+		 * This may add new security barrier subquery RTEs to the rangetable.
+		 */
+		expand_security_quals(root, tlist);
+
+		/*
 		 * Locate any window functions in the tlist.  (We don't need to look
 		 * anywhere else, since expressions used in ORDER BY will be in there
 		 * too.)  Note that they could all have been eliminated by constant
@@ -2150,9 +2185,11 @@ preprocess_rowmarks(PlannerInfo *root)
 		 * Ignore RowMarkClauses for subqueries; they aren't real tables and
 		 * can't support true locking.  Subqueries that got flattened into the
 		 * main query should be ignored completely.  Any that didn't will get
-		 * ROW_MARK_COPY items in the next loop.
+		 * ROW_MARK_COPY items in the next loop.  Relations with security
+		 * barrier quals will be later expanded into subqueries, so we treat
+		 * them as such here too.
 		 */
-		if (rte->rtekind != RTE_RELATION)
+		if (rte->rtekind != RTE_RELATION || rte->securityQuals != NIL)
 			continue;
 
 		/*
@@ -2208,7 +2245,8 @@ preprocess_rowmarks(PlannerInfo *root)
 		newrc->rowmarkId = ++(root->glob->lastRowMarkId);
 		/* real tables support REFERENCE, anything else needs COPY */
 		if (rte->rtekind == RTE_RELATION &&
-			rte->relkind != RELKIND_FOREIGN_TABLE)
+			rte->relkind != RELKIND_FOREIGN_TABLE &&
+			rte->securityQuals == NIL)
 			newrc->markType = ROW_MARK_REFERENCE;
 		else
 			newrc->markType = ROW_MARK_COPY;
diff --git a/src/backend/optimizer/prep/Makefile b/src/backend/optimizer/prep/Makefile
index 86301bf..5195d9b 100644
--- a/src/backend/optimizer/prep/Makefile
+++ b/src/backend/optimizer/prep/Makefile
@@ -12,6 +12,6 @@ subdir = src/backend/optimizer/prep
 top_builddir = ../../../..
 include $(top_builddir)/src/Makefile.global
 
-OBJS = prepjointree.o prepqual.o preptlist.o prepunion.o
+OBJS = prepjointree.o prepqual.o prepsecurity.o preptlist.o prepunion.o
 
 include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
new file mode 100644
index 0000000..01e788c
--- /dev/null
+++ b/src/backend/optimizer/prep/prepsecurity.c
@@ -0,0 +1,467 @@
+/*-------------------------------------------------------------------------
+ *
+ * prepsecurity.c
+ *	  Routines for preprocessing security barrier quals.
+ *
+ * Portions Copyright (c) 1996-2013, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ *	  src/backend/optimizer/prep/prepsecurity.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres.h"
+
+#include "access/heapam.h"
+#include "access/sysattr.h"
+#include "catalog/heap.h"
+#include "nodes/makefuncs.h"
+#include "nodes/nodeFuncs.h"
+#include "optimizer/prep.h"
+#include "parser/parsetree.h"
+#include "rewrite/rewriteManip.h"
+#include "utils/rel.h"
+
+
+typedef struct
+{
+	int			rt_index;		/* Index of security barrier RTE */
+	int			sublevels_up;	/* Current nesting depth */
+	Relation	rel;			/* RTE relation at rt_index */
+	List	   *targetlist;		/* Targetlist for new subquery RTE */
+	List	   *colnames;		/* Column names in subquery RTE */
+	List	   *vars_processed;	/* List of Vars already processed */
+} security_barrier_replace_vars_context;
+
+static void expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual);
+
+static void security_barrier_replace_vars(Node *node,
+							  security_barrier_replace_vars_context *context);
+
+static bool security_barrier_replace_vars_walker(Node *node,
+									 security_barrier_replace_vars_context *context);
+
+static void change_rowmarks(PlanRowMark *parent, int old_rt_index,
+							int new_rt_index, List *rowMarks);
+
+
+/*
+ * expand_security_quals -
+ *	  expands any security barrier quals on RTEs in the query rtable, turning
+ *	  them into security barrier subqueries.
+ *
+ * Any given RTE may have multiple security barrier quals in a list, from which
+ * we create a set of nested subqueries to isolate each security barrier from
+ * the others, providing protection against malicious user-defined security
+ * barriers.  The first security barrier qual in the list will be used in the
+ * innermost subquery.
+ */
+void
+expand_security_quals(PlannerInfo *root, List *tlist)
+{
+	Query	       *parse = root->parse;
+	int				rt_index, new_rt_index;
+	PlanRowMark	   *rowmark;
+
+	/*
+	 * Process each RTE in the rtable list.
+	 *
+	 * Note that this is deliberately not a foreach loop, since the rtable may
+	 * be modified each time through the loop.
+	 */
+	rt_index = 0;
+	while (rt_index < list_length(parse->rtable))
+	{
+		RangeTblEntry *rte;
+
+		rt_index++;
+		rte = rt_fetch(rt_index, parse->rtable);
+
+		if (rte->securityQuals == NIL)
+			continue;
+
+		/*
+		 * Ignore any RTEs that aren't used in the query (such RTEs may be
+		 * present for permissions checks).
+		 */
+		if (rt_index != parse->resultRelation &&
+			!rangeTableEntry_used((Node *) parse, rt_index, 0))
+			continue;
+
+		/*
+		 * If this RTE is the target relation or is the subject of any RowMarks
+		 * then we need to make a copy of it before expanding it.  The
+		 * unexpanded copy will become the new target, and the original RTE
+		 * will be expanded to become the source of rows to update/delete.
+		 */
+		rowmark = get_plan_rowmark(root->rowMarks, rt_index);
+		if (rt_index == parse->resultRelation || rowmark != NULL )
+		{
+			RangeTblEntry *newrte = copyObject(rte);
+			parse->rtable = lappend(parse->rtable, newrte);
+			parse->resultRelation = new_rt_index = list_length(parse->rtable);
+
+			/*
+			 * Wipe out any copied security barrier quals on the new target to
+			 * prevent infinite recursion.
+			 */
+			newrte->securityQuals = NIL;
+
+			/*
+			 * There's no need to do permissions checks twice, so wipe out the
+			 * permissions info for the original RTE (we prefer to keep the
+			 * bits set on the result RTE).
+			 */
+			rte->requiredPerms = 0;
+			rte->checkAsUser = InvalidOid;
+			rte->selectedCols = NULL;
+			rte->modifiedCols = NULL;
+
+			/*
+			 * For the most part, Vars referencing the original relation should
+			 * remain as they are, meaning that they pull OLD values from the
+			 * expanded RTE.  But in the RETURNING list and in any WITH CHECK
+			 * OPTION quals, we want such Vars to represent NEW values, so
+			 * change them to reference the new RTE.
+			 */
+			ChangeVarNodes((Node *) parse->returningList, rt_index,
+						   parse->resultRelation, 0);
+
+			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
+						   parse->resultRelation, 0);
+
+			/*
+			 * The PlanRowMark for this RTI, if present, must also
+			 * point to the underlying RTE_RELATION we copied,
+			 * not to the subquery RTE.
+			 */
+			if (rowmark)
+				change_rowmarks(rowmark, rt_index, new_rt_index, root->rowMarks);
+		}
+
+		/*
+		 * Process each security barrier qual in turn, starting with the
+		 * innermost one (the first in the list) and working outwards.
+		 *
+		 * We remove each qual from the list before processing it, so that its
+		 * variables aren't modified by expand_security_qual.  Also we don't
+		 * necessarily want the attributes referred to by the qual to be
+		 * exposed by the newly built subquery.
+		 */
+		while (rte->securityQuals != NIL)
+		{
+			Node   *qual = (Node *) linitial(rte->securityQuals);
+			rte->securityQuals = list_delete_first(rte->securityQuals);
+
+			ChangeVarNodes(qual, rt_index, 1, 0);
+			expand_security_qual(parse, tlist, rt_index, qual);
+		}
+	}
+}
+
+/*
+ * When the rangetable entry for a rowmark target is copied and replaced with a
+ * subquery, rowmarks referring to the replaced RTE must be rewritten to point to
+ * its new index.
+ *
+ * Takes the rowmark to adjust ("parent"), the old and new rtis for the RTE we
+ * just copied, and the list of all rowmarks in the plan.
+ */
+static void
+change_rowmarks(PlanRowMark *parent, int old_rt_index,
+				int new_rt_index, List *rowMarks)
+{
+	ListCell	   *lc;
+	PlanRowMark	   *rowmark;
+
+	/* Adjust rti and (if self) prti to point to the copied RTE. */
+	parent->rti = new_rt_index;
+	if (parent->prti == old_rt_index)
+		parent->prti = new_rt_index;
+	/* If this is a parent RowMark, fix up prti on its children. */
+	if (parent->isParent) {
+		foreach (lc, rowMarks)
+		{
+			rowmark = (PlanRowMark*) lfirst(lc);
+			if (rowmark->prti == old_rt_index)
+				rowmark->prti = new_rt_index;
+		}
+	}
+}
+
+
+
+/*
+ * expand_security_qual -
+ *	  expand the specified security barrier qual on a query RTE, turning the
+ *	  RTE into a security barrier subquery.
+ */
+static void
+expand_security_qual(Query *parse, List *tlist, int rt_index, Node *qual)
+{
+	RangeTblEntry  *rte;
+	Oid				relid;
+	Query		   *subquery;
+	RangeTblEntry  *subrte;
+	RangeTblRef	   *subrtr;
+	security_barrier_replace_vars_context context;
+	ListCell	   *cell;
+
+	rte = rt_fetch(rt_index, parse->rtable);
+	relid = rte->relid;
+
+	/*
+	 * There should only be 2 possible cases:
+	 *
+	 * 1. A relation RTE, which we turn into a subquery RTE containing all
+	 * referenced columns.
+	 *
+	 * 2. A subquery RTE (either from a prior call to this function or from an
+	 * expanded view).  In this case we build a new subquery on top of it to
+	 * isolate this security barrier qual from any other quals.
+	 */
+	switch (rte->rtekind)
+	{
+		case RTE_RELATION:
+			/*
+			 * Turn the relation RTE into a security barrier subquery RTE,
+			 * moving all permissions checks down into the subquery.
+			 */
+			subquery = makeNode(Query);
+			subquery->commandType = CMD_SELECT;
+			subquery->querySource = QSRC_INSTEAD_RULE;
+
+			subrte = copyObject(rte);
+			subrte->inFromCl = true;
+			subrte->securityQuals = NIL;
+			subquery->rtable = list_make1(subrte);
+
+			subrtr = makeNode(RangeTblRef);
+			subrtr->rtindex = 1;
+			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+			subquery->hasSubLinks = checkExprHasSubLink(qual);
+
+			rte->rtekind = RTE_SUBQUERY;
+			rte->relid = InvalidOid;
+			rte->subquery = subquery;
+			rte->security_barrier = true;
+			rte->inh = false;			/* must not be set for a subquery */
+
+			/* the permissions checks have now been moved down */
+			rte->requiredPerms = 0;
+			rte->checkAsUser = InvalidOid;
+			rte->selectedCols = NULL;
+			rte->modifiedCols = NULL;
+
+			/*
+			 * Replace any variables in the outer query that refer to the
+			 * original relation RTE with references to columns that we will
+			 * expose in the new subquery, building the subquery's targetlist
+			 * as we go.
+			 */
+			context.rt_index = rt_index;
+			context.sublevels_up = 0;
+			context.rel = heap_open(relid, NoLock);
+			context.targetlist = NIL;
+			context.colnames = NIL;
+			context.vars_processed = NIL;
+
+			security_barrier_replace_vars((Node *) parse, &context);
+			security_barrier_replace_vars((Node *) tlist, &context);
+
+			heap_close(context.rel, NoLock);
+
+			/* Now we know what columns the subquery needs to expose */
+			rte->subquery->targetList = context.targetlist;
+			rte->eref = makeAlias(rte->eref->aliasname, context.colnames);
+
+			break;
+
+		case RTE_SUBQUERY:
+			/*
+			 * Build a new subquery that includes all the same columns as the
+			 * original subquery.
+			 */
+			subquery = makeNode(Query);
+			subquery->commandType = CMD_SELECT;
+			subquery->querySource = QSRC_INSTEAD_RULE;
+			subquery->targetList = NIL;
+
+			foreach(cell, rte->subquery->targetList)
+			{
+				TargetEntry	   *tle;
+				Var			   *var;
+
+				tle = (TargetEntry *) lfirst(cell);
+				var = makeVarFromTargetEntry(1, tle);
+
+				tle = makeTargetEntry((Expr *) var,
+									  list_length(subquery->targetList) + 1,
+									  pstrdup(tle->resname),
+									  tle->resjunk);
+				subquery->targetList = lappend(subquery->targetList, tle);
+			}
+
+			subrte = makeNode(RangeTblEntry);
+			subrte->rtekind = RTE_SUBQUERY;
+			subrte->subquery = rte->subquery;
+			subrte->security_barrier = rte->security_barrier;
+			subrte->eref = copyObject(rte->eref);
+			subrte->inFromCl = true;
+			subquery->rtable = list_make1(subrte);
+
+			subrtr = makeNode(RangeTblRef);
+			subrtr->rtindex = 1;
+			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+			subquery->hasSubLinks = checkExprHasSubLink(qual);
+
+			rte->subquery = subquery;
+			rte->security_barrier = true;
+
+			break;
+
+		default:
+			elog(ERROR, "invalid range table entry for security barrier qual");
+	}
+}
+
+
+/*
+ * security_barrier_replace_vars -
+ *	  Apply security barrier variable replacement to an expression tree.
+ *
+ * This also builds/updates a targetlist with entries for each replacement
+ * variable that needs to be exposed by the security barrier subquery RTE.
+ *
+ * NOTE: although this has the form of a walker, we cheat and modify the
+ * nodes in-place.	The given expression tree should have been copied
+ * earlier to ensure that no unwanted side-effects occur!
+ */
+static void
+security_barrier_replace_vars(Node *node,
+							  security_barrier_replace_vars_context *context)
+{
+	/*
+	 * Must be prepared to start with a Query or a bare expression tree; if
+	 * it's a Query, go straight to query_tree_walker to make sure that
+	 * sublevels_up doesn't get incremented prematurely.
+	 */
+	if (node && IsA(node, Query))
+		query_tree_walker((Query *) node,
+						  security_barrier_replace_vars_walker,
+						  (void *) context, 0);
+	else
+		security_barrier_replace_vars_walker(node, context);
+}
+
+static bool
+security_barrier_replace_vars_walker(Node *node,
+									 security_barrier_replace_vars_context *context)
+{
+	if (node == NULL)
+		return false;
+	if (IsA(node, Var))
+	{
+		Var		   *var = (Var *) node;
+
+		/*
+		 * Note that the same Var may be present in different lists, so we
+		 * need to take care not to process it multiple times.
+		 */
+		if (var->varno == context->rt_index &&
+			var->varlevelsup == context->sublevels_up &&
+			!list_member_ptr(context->vars_processed, var))
+		{
+			/*
+			 * Found a matching variable. Make sure that it is in the subquery
+			 * targetlist and map its attno accordingly.
+			 */
+			AttrNumber	attno;
+			ListCell   *l;
+			TargetEntry *tle;
+			char	   *attname;
+			Var		   *newvar;
+
+			/* Search for the base attribute in the subquery targetlist */
+			attno = InvalidAttrNumber;
+			foreach(l, context->targetlist)
+			{
+				tle = (TargetEntry *) lfirst(l);
+				attno++;
+
+				Assert(IsA(tle->expr, Var));
+				if (((Var *) tle->expr)->varattno == var->varattno &&
+					((Var *) tle->expr)->varcollid == var->varcollid)
+				{
+					/* Map the variable onto this subquery targetlist entry */
+					var->varattno = attno;
+					return false;
+				}
+			}
+
+			/* Not in the subquery targetlist, so add it. Get its name. */
+			if (var->varattno < 0)
+			{
+				Form_pg_attribute att_tup;
+
+				att_tup = SystemAttributeDefinition(var->varattno,
+													context->rel->rd_rel->relhasoids);
+				attname = NameStr(att_tup->attname);
+			}
+			else if (var->varattno == InvalidAttrNumber)
+			{
+				attname = "wholerow";
+			}
+			else if (var->varattno <= context->rel->rd_att->natts)
+			{
+				Form_pg_attribute att_tup;
+
+				att_tup = context->rel->rd_att->attrs[var->varattno - 1];
+				attname = NameStr(att_tup->attname);
+			}
+			else
+			{
+				elog(ERROR, "invalid attribute number %d in security_barrier_replace_vars", var->varattno);
+			}
+
+			/* New variable for subquery targetlist */
+			newvar = copyObject(var);
+			newvar->varno = 1;
+
+			attno = list_length(context->targetlist) + 1;
+			tle = makeTargetEntry((Expr *) newvar,
+								  attno,
+								  pstrdup(attname),
+								  false);
+
+			context->targetlist = lappend(context->targetlist, tle);
+
+			context->colnames = lappend(context->colnames,
+										makeString(pstrdup(attname)));
+
+			/* Update the outer query's variable */
+			var->varattno = attno;
+
+			/* Remember this Var so that we don't process it again */
+			context->vars_processed = lappend(context->vars_processed, var);
+		}
+		return false;
+	}
+
+	if (IsA(node, Query))
+	{
+		/* Recurse into subselects */
+		bool		result;
+
+		context->sublevels_up++;
+		result = query_tree_walker((Query *) node,
+								   security_barrier_replace_vars_walker,
+								   (void *) context, 0);
+		context->sublevels_up--;
+		return result;
+	}
+	return expression_tree_walker(node, security_barrier_replace_vars_walker,
+								  (void *) context);
+}
diff --git a/src/backend/optimizer/prep/prepunion.c b/src/backend/optimizer/prep/prepunion.c
index 52dcc72..c7e0199 100644
--- a/src/backend/optimizer/prep/prepunion.c
+++ b/src/backend/optimizer/prep/prepunion.c
@@ -55,6 +55,7 @@ typedef struct
 {
 	PlannerInfo *root;
 	AppendRelInfo *appinfo;
+	int			sublevels_up;
 } adjust_appendrel_attrs_context;
 
 static Plan *recurse_set_operations(Node *setOp, PlannerInfo *root,
@@ -1580,8 +1581,9 @@ translate_col_privs(const Bitmapset *parent_privs,
  *	  child rel instead.  We also update rtindexes appearing outside Vars,
  *	  such as resultRelation and jointree relids.
  *
- * Note: this is only applied after conversion of sublinks to subplans,
- * so we don't need to cope with recursion into sub-queries.
+ * Note: this is applied after conversion of sublinks to subplans in the
+ * query jointree, but there may still be sublinks in the security barrier
+ * quals of RTEs, so we do need to cope with recursion into sub-queries.
  *
  * Note: this is not hugely different from what pullup_replace_vars() does;
  * maybe we should try to fold the two routines together.
@@ -1594,9 +1596,12 @@ adjust_appendrel_attrs(PlannerInfo *root, Node *node, AppendRelInfo *appinfo)
 
 	context.root = root;
 	context.appinfo = appinfo;
+	context.sublevels_up = 0;
 
 	/*
-	 * Must be prepared to start with a Query or a bare expression tree.
+	 * Must be prepared to start with a Query or a bare expression tree; if
+	 * it's a Query, go straight to query_tree_walker to make sure that
+	 * sublevels_up doesn't get incremented prematurely.
 	 */
 	if (node && IsA(node, Query))
 	{
@@ -1635,7 +1640,7 @@ adjust_appendrel_attrs_mutator(Node *node,
 	{
 		Var		   *var = (Var *) copyObject(node);
 
-		if (var->varlevelsup == 0 &&
+		if (var->varlevelsup == context->sublevels_up &&
 			var->varno == appinfo->parent_relid)
 		{
 			var->varno = appinfo->child_relid;
@@ -1652,6 +1657,7 @@ adjust_appendrel_attrs_mutator(Node *node,
 				if (newnode == NULL)
 					elog(ERROR, "attribute %d of relation \"%s\" does not exist",
 						 var->varattno, get_rel_name(appinfo->parent_reloid));
+				((Var *) newnode)->varlevelsup += context->sublevels_up;
 				return newnode;
 			}
 			else if (var->varattno == 0)
@@ -1694,10 +1700,16 @@ adjust_appendrel_attrs_mutator(Node *node,
 					RowExpr    *rowexpr;
 					List	   *fields;
 					RangeTblEntry *rte;
+					ListCell   *lc;
 
 					rte = rt_fetch(appinfo->parent_relid,
 								   context->root->parse->rtable);
 					fields = (List *) copyObject(appinfo->translated_vars);
+					foreach(lc, fields)
+					{
+						Var		   *field = (Var *) lfirst(lc);
+						field->varlevelsup += context->sublevels_up;
+					}
 					rowexpr = makeNode(RowExpr);
 					rowexpr->args = fields;
 					rowexpr->row_typeid = var->vartype;
@@ -1716,7 +1728,8 @@ adjust_appendrel_attrs_mutator(Node *node,
 	{
 		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
 
-		if (cexpr->cvarno == appinfo->parent_relid)
+		if (context->sublevels_up == 0 &&
+			cexpr->cvarno == appinfo->parent_relid)
 			cexpr->cvarno = appinfo->child_relid;
 		return (Node *) cexpr;
 	}
@@ -1724,7 +1737,8 @@ adjust_appendrel_attrs_mutator(Node *node,
 	{
 		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
 
-		if (rtr->rtindex == appinfo->parent_relid)
+		if (context->sublevels_up == 0 &&
+			rtr->rtindex == appinfo->parent_relid)
 			rtr->rtindex = appinfo->child_relid;
 		return (Node *) rtr;
 	}
@@ -1737,7 +1751,8 @@ adjust_appendrel_attrs_mutator(Node *node,
 											  adjust_appendrel_attrs_mutator,
 												 (void *) context);
 		/* now fix JoinExpr's rtindex (probably never happens) */
-		if (j->rtindex == appinfo->parent_relid)
+		if (context->sublevels_up == 0 &&
+			j->rtindex == appinfo->parent_relid)
 			j->rtindex = appinfo->child_relid;
 		return (Node *) j;
 	}
@@ -1750,7 +1765,7 @@ adjust_appendrel_attrs_mutator(Node *node,
 											  adjust_appendrel_attrs_mutator,
 														 (void *) context);
 		/* now fix PlaceHolderVar's relid sets */
-		if (phv->phlevelsup == 0)
+		if (phv->phlevelsup == context->sublevels_up)
 			phv->phrels = adjust_relid_set(phv->phrels,
 										   appinfo->parent_relid,
 										   appinfo->child_relid);
@@ -1822,12 +1837,26 @@ adjust_appendrel_attrs_mutator(Node *node,
 		return (Node *) newinfo;
 	}
 
-	/*
-	 * NOTE: we do not need to recurse into sublinks, because they should
-	 * already have been converted to subplans before we see them.
-	 */
-	Assert(!IsA(node, SubLink));
-	Assert(!IsA(node, Query));
+	if (IsA(node, Query))
+	{
+		/*
+		 * Recurse into sublink subqueries. This should only be possible in
+		 * security barrier quals of top-level RTEs. All other sublinks should
+		 * have already been converted to subplans during expression
+		 * preprocessing, but this doesn't happen for security barrier quals,
+		 * since they are destined to become quals of a subquery RTE, which
+		 * will be recursively planned, and so should not be preprocessed at
+		 * this stage.
+		 */
+		Query	   *newnode;
+
+		context->sublevels_up++;
+		newnode = query_tree_mutator((Query *) node,
+									 adjust_appendrel_attrs_mutator,
+									 (void *) context, 0);
+		context->sublevels_up--;
+		return (Node *) newnode;
+	}
 
 	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
 								   (void *) context);
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
index 0b13645..370b5aa 100644
--- a/src/backend/rewrite/rewriteHandler.c
+++ b/src/backend/rewrite/rewriteHandler.c
@@ -1973,8 +1973,7 @@ view_col_is_auto_updatable(RangeTblRef *rtr, TargetEntry *tle)
  * updatable.
  */
 const char *
-view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
-							 bool check_cols)
+view_query_is_auto_updatable(Query *viewquery, bool check_cols)
 {
 	RangeTblRef *rtr;
 	RangeTblEntry *base_rte;
@@ -2048,14 +2047,6 @@ view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
 		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
 
 	/*
-	 * For now, we also don't support security-barrier views, because of the
-	 * difficulty of keeping upper-level qual expressions away from
-	 * lower-level data.  This might get relaxed in the future.
-	 */
-	if (security_barrier)
-		return gettext_noop("Security-barrier views are not automatically updatable.");
-
-	/*
 	 * The view query should select from a single base relation, which must be
 	 * a table or another view.
 	 */
@@ -2303,9 +2294,7 @@ relation_is_updatable(Oid reloid,
 	{
 		Query	   *viewquery = get_view_query(rel);
 
-		if (view_query_is_auto_updatable(viewquery,
-										 RelationIsSecurityView(rel),
-										 false) == NULL)
+		if (view_query_is_auto_updatable(viewquery, false) == NULL)
 		{
 			Bitmapset  *updatable_cols;
 			int			auto_events;
@@ -2460,7 +2449,6 @@ rewriteTargetView(Query *parsetree, Relation view)
 
 	auto_update_detail =
 		view_query_is_auto_updatable(viewquery,
-									 RelationIsSecurityView(view),
 									 parsetree->commandType != CMD_DELETE);
 
 	if (auto_update_detail)
@@ -2664,6 +2652,14 @@ rewriteTargetView(Query *parsetree, Relation view)
 												   view_targetlist);
 
 	/*
+	 * Move any security barrier quals from the view RTE onto the new target
+	 * RTE.  Any such quals should now apply to the new target RTE and will not
+	 * reference the original view RTE in the rewritten query.
+	 */
+	new_rte->securityQuals = view_rte->securityQuals;
+	view_rte->securityQuals = NIL;
+
+	/*
 	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
 	 * TLE for the view to the end of the targetlist, which we no longer need.
 	 * Remove it to avoid unnecessary work when we process the targetlist.
@@ -2743,6 +2739,10 @@ rewriteTargetView(Query *parsetree, Relation view)
 	 * only adjust their varnos to reference the new target (just the same as
 	 * we did with the view targetlist).
 	 *
+	 * Note that there is special-case handling for the quals of a security
+	 * barrier view, since they need to be kept separate from any user-supplied
+	 * quals, so these quals are kept on the new target RTE.
+	 *
 	 * For INSERT, the view's quals can be ignored in the main query.
 	 */
 	if (parsetree->commandType != CMD_INSERT &&
@@ -2751,7 +2751,25 @@ rewriteTargetView(Query *parsetree, Relation view)
 		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
 
 		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
-		AddQual(parsetree, (Node *) viewqual);
+
+		if (RelationIsSecurityView(view))
+		{
+			/*
+			 * Note: the parsetree has been mutated, so the new_rte pointer is
+			 * stale and needs to be re-computed.
+			 */
+			new_rte = rt_fetch(new_rt_index, parsetree->rtable);
+			new_rte->securityQuals = lcons(viewqual, new_rte->securityQuals);
+
+			/*
+			 * Make sure that the query is marked correctly if the added qual
+			 * has sublinks.
+			 */
+			if (!parsetree->hasSubLinks)
+				parsetree->hasSubLinks = checkExprHasSubLink(viewqual);
+		}
+		else
+			AddQual(parsetree, (Node *) viewqual);
 	}
 
 	/*
@@ -2813,9 +2831,8 @@ rewriteTargetView(Query *parsetree, Relation view)
 				 * Make sure that the query is marked correctly if the added
 				 * qual has sublinks.  We can skip this check if the query is
 				 * already marked, or if the command is an UPDATE, in which
-				 * case the same qual will have already been added to the
-				 * query's WHERE clause, and AddQual will have already done
-				 * this check.
+				 * case the same qual will have already been added, and this
+				 * check will already have been done.
 				 */
 				if (!parsetree->hasSubLinks &&
 					parsetree->commandType != CMD_UPDATE)
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 846c31a..a197a86 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -801,6 +801,7 @@ typedef struct RangeTblEntry
 	Oid			checkAsUser;	/* if valid, check access as this role */
 	Bitmapset  *selectedCols;	/* columns needing SELECT permission */
 	Bitmapset  *modifiedCols;	/* columns needing INSERT/UPDATE permission */
+	List	   *securityQuals;	/* any security barrier quals to apply */
 } RangeTblEntry;
 
 /*
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
index 0f5a7d3..f5fc7e8 100644
--- a/src/include/optimizer/prep.h
+++ b/src/include/optimizer/prep.h
@@ -36,6 +36,11 @@ extern Node *negate_clause(Node *node);
 extern Expr *canonicalize_qual(Expr *qual);
 
 /*
+ * prototypes for prepsecurity.c
+ */
+extern void expand_security_quals(PlannerInfo *root, List *tlist);
+
+/*
  * prototypes for preptlist.c
  */
 extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
index e4027bd..8da0af5 100644
--- a/src/include/rewrite/rewriteHandler.h
+++ b/src/include/rewrite/rewriteHandler.h
@@ -23,7 +23,6 @@ extern void AcquireRewriteLocks(Query *parsetree, bool forUpdatePushedDown);
 extern Node *build_column_default(Relation rel, int attrno);
 extern Query *get_view_query(Relation view);
 extern const char *view_query_is_auto_updatable(Query *viewquery,
-										 bool security_barrier,
 										 bool check_cols);
 extern int	relation_is_updatable(Oid reloid,
 						  bool include_triggers,
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
index 91d1639..f6db582 100644
--- a/src/test/regress/expected/create_view.out
+++ b/src/test/regress/expected/create_view.out
@@ -252,7 +252,7 @@ CREATE VIEW mysecview4 WITH (security_barrier)
        AS SELECT * FROM tbl1 WHERE a <> 0;
 CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
        AS SELECT * FROM tbl1 WHERE a > 100;
-ERROR:  security_barrier requires a Boolean value
+ERROR:  invalid value for boolean option "security_barrier": 100
 CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
        AS SELECT * FROM tbl1 WHERE a < 100;
 ERROR:  unrecognized parameter "invalid_option"
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
index 99c9165..9a34819 100644
--- a/src/test/regress/expected/updatable_views.out
+++ b/src/test/regress/expected/updatable_views.out
@@ -22,12 +22,10 @@ CREATE VIEW rw_view14 AS SELECT ctid, a, b FROM base_tbl; -- System columns may
 CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
 CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
 CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
-CREATE VIEW ro_view18 WITH (security_barrier = true)
-  AS SELECT * FROM base_tbl; -- Security barrier views not updatable
-CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
+CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
 CREATE SEQUENCE seq;
-CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
-CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
+CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
+CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
 SELECT table_name, is_insertable_into
   FROM information_schema.tables
  WHERE table_name LIKE E'r_\\_view%'
@@ -44,7 +42,6 @@ SELECT table_name, is_insertable_into
  ro_view19  | NO
  ro_view2   | NO
  ro_view20  | NO
- ro_view21  | NO
  ro_view3   | NO
  ro_view4   | NO
  ro_view5   | NO
@@ -55,7 +52,7 @@ SELECT table_name, is_insertable_into
  rw_view14  | YES
  rw_view15  | YES
  rw_view16  | YES
-(21 rows)
+(20 rows)
 
 SELECT table_name, is_updatable, is_insertable_into
   FROM information_schema.views
@@ -73,7 +70,6 @@ SELECT table_name, is_updatable, is_insertable_into
  ro_view19  | NO           | NO
  ro_view2   | NO           | NO
  ro_view20  | NO           | NO
- ro_view21  | NO           | NO
  ro_view3   | NO           | NO
  ro_view4   | NO           | NO
  ro_view5   | NO           | NO
@@ -84,7 +80,7 @@ SELECT table_name, is_updatable, is_insertable_into
  rw_view14  | YES          | YES
  rw_view15  | YES          | YES
  rw_view16  | YES          | YES
-(21 rows)
+(20 rows)
 
 SELECT table_name, column_name, is_updatable
   FROM information_schema.columns
@@ -103,23 +99,21 @@ SELECT table_name, column_name, is_updatable
  ro_view17  | a             | NO
  ro_view17  | b             | NO
  ro_view18  | a             | NO
- ro_view18  | b             | NO
- ro_view19  | a             | NO
+ ro_view19  | sequence_name | NO
+ ro_view19  | last_value    | NO
+ ro_view19  | start_value   | NO
+ ro_view19  | increment_by  | NO
+ ro_view19  | max_value     | NO
+ ro_view19  | min_value     | NO
+ ro_view19  | cache_value   | NO
+ ro_view19  | log_cnt       | NO
+ ro_view19  | is_cycled     | NO
+ ro_view19  | is_called     | NO
  ro_view2   | a             | NO
  ro_view2   | b             | NO
- ro_view20  | sequence_name | NO
- ro_view20  | last_value    | NO
- ro_view20  | start_value   | NO
- ro_view20  | increment_by  | NO
- ro_view20  | max_value     | NO
- ro_view20  | min_value     | NO
- ro_view20  | cache_value   | NO
- ro_view20  | log_cnt       | NO
- ro_view20  | is_cycled     | NO
- ro_view20  | is_called     | NO
- ro_view21  | a             | NO
- ro_view21  | b             | NO
- ro_view21  | g             | NO
+ ro_view20  | a             | NO
+ ro_view20  | b             | NO
+ ro_view20  | g             | NO
  ro_view3   | ?column?      | NO
  ro_view4   | count         | NO
  ro_view5   | a             | NO
@@ -140,7 +134,7 @@ SELECT table_name, column_name, is_updatable
  rw_view16  | a             | YES
  rw_view16  | b             | YES
  rw_view16  | aa            | YES
-(48 rows)
+(46 rows)
 
 -- Read-only views
 DELETE FROM ro_view1;
@@ -268,24 +262,20 @@ INSERT INTO ro_view17 VALUES (3, 'ROW 3');
 ERROR:  cannot insert into view "ro_view1"
 DETAIL:  Views containing DISTINCT are not automatically updatable.
 HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
-INSERT INTO ro_view18 VALUES (3, 'ROW 3');
-ERROR:  cannot insert into view "ro_view18"
-DETAIL:  Security-barrier views are not automatically updatable.
-HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
-DELETE FROM ro_view19;
-ERROR:  cannot delete from view "ro_view19"
+DELETE FROM ro_view18;
+ERROR:  cannot delete from view "ro_view18"
 DETAIL:  Views that do not select from a single table or view are not automatically updatable.
 HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
-UPDATE ro_view20 SET max_value=1000;
-ERROR:  cannot update view "ro_view20"
+UPDATE ro_view19 SET max_value=1000;
+ERROR:  cannot update view "ro_view19"
 DETAIL:  Views that do not select from a single table or view are not automatically updatable.
 HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
-UPDATE ro_view21 SET b=upper(b);
-ERROR:  cannot update view "ro_view21"
+UPDATE ro_view20 SET b=upper(b);
+ERROR:  cannot update view "ro_view20"
 DETAIL:  Views that return set-returning functions are not automatically updatable.
 HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
 DROP TABLE base_tbl CASCADE;
-NOTICE:  drop cascades to 17 other objects
+NOTICE:  drop cascades to 16 other objects
 DETAIL:  drop cascades to view ro_view1
 drop cascades to view ro_view17
 drop cascades to view ro_view2
@@ -299,13 +289,12 @@ drop cascades to view ro_view11
 drop cascades to view ro_view13
 drop cascades to view rw_view15
 drop cascades to view rw_view16
-drop cascades to view ro_view18
-drop cascades to view ro_view21
+drop cascades to view ro_view20
 drop cascades to view ro_view4
 drop cascades to view rw_view14
-DROP VIEW ro_view10, ro_view12, ro_view19;
+DROP VIEW ro_view10, ro_view12, ro_view18;
 DROP SEQUENCE seq CASCADE;
-NOTICE:  drop cascades to view ro_view20
+NOTICE:  drop cascades to view ro_view19
 -- simple updatable view
 CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
 INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
@@ -1740,3 +1729,259 @@ DROP TABLE base_tbl CASCADE;
 NOTICE:  drop cascades to 2 other objects
 DETAIL:  drop cascades to view rw_view1
 drop cascades to view rw_view2
+-- security barrier view
+CREATE TABLE base_tbl (person text, visibility text);
+INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                            ('Dick', 'private'),
+                            ('Harry', 'public');
+CREATE VIEW rw_view1 AS
+  SELECT person FROM base_tbl WHERE visibility = 'public';
+CREATE FUNCTION snoop(val text)
+RETURNS boolean AS
+$$
+BEGIN
+  RAISE NOTICE 'snooped value: %', val;
+  RETURN true;
+END;
+$$
+LANGUAGE plpgsql COST 0.000001;
+SELECT * FROM rw_view1 WHERE snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Dick
+NOTICE:  snooped value: Harry
+ person 
+--------
+ Tom
+ Harry
+(2 rows)
+
+UPDATE rw_view1 SET person=person WHERE snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Dick
+NOTICE:  snooped value: Harry
+DELETE FROM rw_view1 WHERE NOT snoop(person);
+NOTICE:  snooped value: Dick
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Harry
+ALTER VIEW rw_view1 SET (security_barrier = true);
+SELECT table_name, is_insertable_into
+  FROM information_schema.tables
+ WHERE table_name = 'rw_view1';
+ table_name | is_insertable_into 
+------------+--------------------
+ rw_view1   | YES
+(1 row)
+
+SELECT table_name, is_updatable, is_insertable_into
+  FROM information_schema.views
+ WHERE table_name = 'rw_view1';
+ table_name | is_updatable | is_insertable_into 
+------------+--------------+--------------------
+ rw_view1   | YES          | YES
+(1 row)
+
+SELECT table_name, column_name, is_updatable
+  FROM information_schema.columns
+ WHERE table_name = 'rw_view1'
+ ORDER BY ordinal_position;
+ table_name | column_name | is_updatable 
+------------+-------------+--------------
+ rw_view1   | person      | YES
+(1 row)
+
+SELECT * FROM rw_view1 WHERE snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Harry
+ person 
+--------
+ Tom
+ Harry
+(2 rows)
+
+UPDATE rw_view1 SET person=person WHERE snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Harry
+DELETE FROM rw_view1 WHERE NOT snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Harry
+EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+                  QUERY PLAN                   
+-----------------------------------------------
+ Subquery Scan on rw_view1
+   Filter: snoop(rw_view1.person)
+   ->  Seq Scan on base_tbl
+         Filter: (visibility = 'public'::text)
+(4 rows)
+
+EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+                     QUERY PLAN                      
+-----------------------------------------------------
+ Update on base_tbl base_tbl_1
+   ->  Subquery Scan on base_tbl
+         Filter: snoop(base_tbl.person)
+         ->  Seq Scan on base_tbl base_tbl_2
+               Filter: (visibility = 'public'::text)
+(5 rows)
+
+EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+                     QUERY PLAN                      
+-----------------------------------------------------
+ Delete on base_tbl base_tbl_1
+   ->  Subquery Scan on base_tbl
+         Filter: (NOT snoop(base_tbl.person))
+         ->  Seq Scan on base_tbl base_tbl_2
+               Filter: (visibility = 'public'::text)
+(5 rows)
+
+-- security barrier view on top of security barrier view
+CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+  SELECT * FROM rw_view1 WHERE snoop(person);
+SELECT table_name, is_insertable_into
+  FROM information_schema.tables
+ WHERE table_name = 'rw_view2';
+ table_name | is_insertable_into 
+------------+--------------------
+ rw_view2   | YES
+(1 row)
+
+SELECT table_name, is_updatable, is_insertable_into
+  FROM information_schema.views
+ WHERE table_name = 'rw_view2';
+ table_name | is_updatable | is_insertable_into 
+------------+--------------+--------------------
+ rw_view2   | YES          | YES
+(1 row)
+
+SELECT table_name, column_name, is_updatable
+  FROM information_schema.columns
+ WHERE table_name = 'rw_view2'
+ ORDER BY ordinal_position;
+ table_name | column_name | is_updatable 
+------------+-------------+--------------
+ rw_view2   | person      | YES
+(1 row)
+
+SELECT * FROM rw_view2 WHERE snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Harry
+NOTICE:  snooped value: Harry
+ person 
+--------
+ Tom
+ Harry
+(2 rows)
+
+UPDATE rw_view2 SET person=person WHERE snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Harry
+NOTICE:  snooped value: Harry
+DELETE FROM rw_view2 WHERE NOT snoop(person);
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Tom
+NOTICE:  snooped value: Harry
+NOTICE:  snooped value: Harry
+EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+                     QUERY PLAN                      
+-----------------------------------------------------
+ Subquery Scan on rw_view2
+   Filter: snoop(rw_view2.person)
+   ->  Subquery Scan on rw_view1
+         Filter: snoop(rw_view1.person)
+         ->  Seq Scan on base_tbl
+               Filter: (visibility = 'public'::text)
+(6 rows)
+
+EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+                        QUERY PLAN                         
+-----------------------------------------------------------
+ Update on base_tbl base_tbl_1
+   ->  Subquery Scan on base_tbl
+         Filter: snoop(base_tbl.person)
+         ->  Subquery Scan on base_tbl_2
+               Filter: snoop(base_tbl_2.person)
+               ->  Seq Scan on base_tbl base_tbl_3
+                     Filter: (visibility = 'public'::text)
+(7 rows)
+
+EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+                        QUERY PLAN                         
+-----------------------------------------------------------
+ Delete on base_tbl base_tbl_1
+   ->  Subquery Scan on base_tbl
+         Filter: (NOT snoop(base_tbl.person))
+         ->  Subquery Scan on base_tbl_2
+               Filter: snoop(base_tbl_2.person)
+               ->  Seq Scan on base_tbl base_tbl_3
+                     Filter: (visibility = 'public'::text)
+(7 rows)
+
+DROP TABLE base_tbl CASCADE;
+NOTICE:  drop cascades to 2 other objects
+DETAIL:  drop cascades to view rw_view1
+drop cascades to view rw_view2
+-- security barrier view on top of table with rules
+CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+  WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+  DO INSTEAD
+    UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+  DO INSTEAD
+    UPDATE base_tbl SET deleted = true WHERE id = old.id;
+CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+  SELECT id, data FROM base_tbl WHERE NOT deleted;
+SELECT * FROM rw_view1;
+ id | data  
+----+-------
+  1 | Row 1
+(1 row)
+
+EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+                               QUERY PLAN                                
+-------------------------------------------------------------------------
+ Update on base_tbl base_tbl_2
+   ->  Nested Loop
+         ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_1
+               Index Cond: (id = 1)
+         ->  Subquery Scan on base_tbl
+               Filter: snoop(base_tbl.data)
+               ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_3
+                     Index Cond: (id = 1)
+                     Filter: (NOT deleted)
+(9 rows)
+
+DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+NOTICE:  snooped value: Row 1
+EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+                        QUERY PLAN                         
+-----------------------------------------------------------
+ Insert on base_tbl
+   InitPlan 1 (returns $0)
+     ->  Index Only Scan using base_tbl_pkey on base_tbl t
+           Index Cond: (id = 2)
+   ->  Result
+         One-Time Filter: ($0 IS NOT TRUE)
+ 
+ Update on base_tbl
+   InitPlan 1 (returns $0)
+     ->  Index Only Scan using base_tbl_pkey on base_tbl t
+           Index Cond: (id = 2)
+   ->  Result
+         One-Time Filter: $0
+         ->  Index Scan using base_tbl_pkey on base_tbl
+               Index Cond: (id = 2)
+(15 rows)
+
+INSERT INTO rw_view1 VALUES (2, 'New row 2');
+SELECT * FROM base_tbl;
+ id |   data    | deleted 
+----+-----------+---------
+  1 | Row 1     | t
+  2 | New row 2 | f
+(2 rows)
+
+DROP TABLE base_tbl CASCADE;
+NOTICE:  drop cascades to view rw_view1
diff --git a/src/test/regress/sql/updatable_views.sql b/src/test/regress/sql/updatable_views.sql
index a77cf19..08f7504 100644
--- a/src/test/regress/sql/updatable_views.sql
+++ b/src/test/regress/sql/updatable_views.sql
@@ -25,12 +25,10 @@ CREATE VIEW rw_view14 AS SELECT ctid, a, b FROM base_tbl; -- System columns may
 CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
 CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
 CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
-CREATE VIEW ro_view18 WITH (security_barrier = true)
-  AS SELECT * FROM base_tbl; -- Security barrier views not updatable
-CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
+CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
 CREATE SEQUENCE seq;
-CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
-CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
+CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
+CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
 
 SELECT table_name, is_insertable_into
   FROM information_schema.tables
@@ -87,13 +85,12 @@ SELECT * FROM base_tbl;
 DELETE FROM rw_view16 WHERE a=-3; -- should be OK
 -- Read-only views
 INSERT INTO ro_view17 VALUES (3, 'ROW 3');
-INSERT INTO ro_view18 VALUES (3, 'ROW 3');
-DELETE FROM ro_view19;
-UPDATE ro_view20 SET max_value=1000;
-UPDATE ro_view21 SET b=upper(b);
+DELETE FROM ro_view18;
+UPDATE ro_view19 SET max_value=1000;
+UPDATE ro_view20 SET b=upper(b);
 
 DROP TABLE base_tbl CASCADE;
-DROP VIEW ro_view10, ro_view12, ro_view19;
+DROP VIEW ro_view10, ro_view12, ro_view18;
 DROP SEQUENCE seq CASCADE;
 
 -- simple updatable view
@@ -828,3 +825,107 @@ CREATE VIEW rw_view2 AS
   SELECT * FROM rw_view1 WHERE a > b WITH LOCAL CHECK OPTION;
 INSERT INTO rw_view2 VALUES (2,3); -- ok, but not in view (doesn't fail rw_view2's check)
 DROP TABLE base_tbl CASCADE;
+
+-- security barrier view
+
+CREATE TABLE base_tbl (person text, visibility text);
+INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                            ('Dick', 'private'),
+                            ('Harry', 'public');
+
+CREATE VIEW rw_view1 AS
+  SELECT person FROM base_tbl WHERE visibility = 'public';
+
+CREATE FUNCTION snoop(val text)
+RETURNS boolean AS
+$$
+BEGIN
+  RAISE NOTICE 'snooped value: %', val;
+  RETURN true;
+END;
+$$
+LANGUAGE plpgsql COST 0.000001;
+
+SELECT * FROM rw_view1 WHERE snoop(person);
+UPDATE rw_view1 SET person=person WHERE snoop(person);
+DELETE FROM rw_view1 WHERE NOT snoop(person);
+
+ALTER VIEW rw_view1 SET (security_barrier = true);
+
+SELECT table_name, is_insertable_into
+  FROM information_schema.tables
+ WHERE table_name = 'rw_view1';
+
+SELECT table_name, is_updatable, is_insertable_into
+  FROM information_schema.views
+ WHERE table_name = 'rw_view1';
+
+SELECT table_name, column_name, is_updatable
+  FROM information_schema.columns
+ WHERE table_name = 'rw_view1'
+ ORDER BY ordinal_position;
+
+SELECT * FROM rw_view1 WHERE snoop(person);
+UPDATE rw_view1 SET person=person WHERE snoop(person);
+DELETE FROM rw_view1 WHERE NOT snoop(person);
+
+EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+
+-- security barrier view on top of security barrier view
+
+CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+  SELECT * FROM rw_view1 WHERE snoop(person);
+
+SELECT table_name, is_insertable_into
+  FROM information_schema.tables
+ WHERE table_name = 'rw_view2';
+
+SELECT table_name, is_updatable, is_insertable_into
+  FROM information_schema.views
+ WHERE table_name = 'rw_view2';
+
+SELECT table_name, column_name, is_updatable
+  FROM information_schema.columns
+ WHERE table_name = 'rw_view2'
+ ORDER BY ordinal_position;
+
+SELECT * FROM rw_view2 WHERE snoop(person);
+UPDATE rw_view2 SET person=person WHERE snoop(person);
+DELETE FROM rw_view2 WHERE NOT snoop(person);
+
+EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+
+DROP TABLE base_tbl CASCADE;
+
+-- security barrier view on top of table with rules
+
+CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+
+CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+  WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+  DO INSTEAD
+    UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+
+CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+  DO INSTEAD
+    UPDATE base_tbl SET deleted = true WHERE id = old.id;
+
+CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+  SELECT id, data FROM base_tbl WHERE NOT deleted;
+
+SELECT * FROM rw_view1;
+
+EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+
+EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+INSERT INTO rw_view1 VALUES (2, 'New row 2');
+
+SELECT * FROM base_tbl;
+
+DROP TABLE base_tbl CASCADE;
-- 
1.8.3.1

diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml
new file mode 100644
index e0fbe1e..888410f
*** a/doc/src/sgml/ref/create_view.sgml
--- b/doc/src/sgml/ref/create_view.sgml
*************** CREATE VIEW vista AS SELECT text 'Hello
*** 323,334 ****
         or set-returning functions.
        </para>
       </listitem>
- 
-      <listitem>
-       <para>
-        The view must not have the <literal>security_barrier</> property.
-       </para>
-      </listitem>
      </itemizedlist>
     </para>
  
--- 323,328 ----
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
new file mode 100644
index 08b037e..b48c8d3
*** a/src/backend/commands/tablecmds.c
--- b/src/backend/commands/tablecmds.c
*************** ATExecSetRelOptions(Relation rel, List *
*** 8829,8835 ****
  		List	   *view_options = untransformRelOptions(newOptions);
  		ListCell   *cell;
  		bool		check_option = false;
- 		bool		security_barrier = false;
  
  		foreach(cell, view_options)
  		{
--- 8829,8834 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8837,8844 ****
  
  			if (pg_strcasecmp(defel->defname, "check_option") == 0)
  				check_option = true;
- 			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 				security_barrier = defGetBoolean(defel);
  		}
  
  		/*
--- 8836,8841 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8848,8855 ****
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query,
! 											 security_barrier, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
--- 8845,8851 ----
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
new file mode 100644
index 1735762..bc08566
*** a/src/backend/commands/view.c
--- b/src/backend/commands/view.c
*************** DefineView(ViewStmt *stmt, const char *q
*** 396,402 ****
  	RangeVar   *view;
  	ListCell   *cell;
  	bool		check_option;
- 	bool		security_barrier;
  
  	/*
  	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
--- 396,401 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 451,457 ****
  	 * specified.
  	 */
  	check_option = false;
- 	security_barrier = false;
  
  	foreach(cell, stmt->options)
  	{
--- 450,455 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 459,466 ****
  
  		if (pg_strcasecmp(defel->defname, "check_option") == 0)
  			check_option = true;
- 		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 			security_barrier = defGetBoolean(defel);
  	}
  
  	/*
--- 457,462 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 470,476 ****
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, security_barrier, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
--- 466,472 ----
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
new file mode 100644
index f90cb67..dae6c66
*** a/src/backend/nodes/copyfuncs.c
--- b/src/backend/nodes/copyfuncs.c
*************** _copyRangeTblEntry(const RangeTblEntry *
*** 1998,2003 ****
--- 1998,2004 ----
  	COPY_SCALAR_FIELD(checkAsUser);
  	COPY_BITMAPSET_FIELD(selectedCols);
  	COPY_BITMAPSET_FIELD(modifiedCols);
+ 	COPY_NODE_FIELD(securityQuals);
  
  	return newnode;
  }
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
new file mode 100644
index 9438e78..f8f5562
*** a/src/backend/nodes/equalfuncs.c
--- b/src/backend/nodes/equalfuncs.c
*************** _equalRangeTblEntry(const RangeTblEntry
*** 2293,2298 ****
--- 2293,2299 ----
  	COMPARE_SCALAR_FIELD(checkAsUser);
  	COMPARE_BITMAPSET_FIELD(selectedCols);
  	COMPARE_BITMAPSET_FIELD(modifiedCols);
+ 	COMPARE_NODE_FIELD(securityQuals);
  
  	return true;
  }
diff --git a/src/backend/nodes/nodeFuncs.c b/src/backend/nodes/nodeFuncs.c
new file mode 100644
index 123f2a6..1e48a7f
*** a/src/backend/nodes/nodeFuncs.c
--- b/src/backend/nodes/nodeFuncs.c
*************** range_table_walker(List *rtable,
*** 2020,2025 ****
--- 2020,2028 ----
  					return true;
  				break;
  		}
+ 
+ 		if (walker(rte->securityQuals, context))
+ 			return true;
  	}
  	return false;
  }
*************** range_table_mutator(List *rtable,
*** 2755,2760 ****
--- 2758,2764 ----
  				MUTATE(newrte->values_lists, rte->values_lists, List *);
  				break;
  		}
+ 		MUTATE(newrte->securityQuals, rte->securityQuals, List *);
  		newrt = lappend(newrt, newrte);
  	}
  	return newrt;
diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c
new file mode 100644
index 568c3b8..a0e3286
*** a/src/backend/nodes/outfuncs.c
--- b/src/backend/nodes/outfuncs.c
*************** _outRangeTblEntry(StringInfo str, const
*** 2409,2414 ****
--- 2409,2415 ----
  	WRITE_OID_FIELD(checkAsUser);
  	WRITE_BITMAPSET_FIELD(selectedCols);
  	WRITE_BITMAPSET_FIELD(modifiedCols);
+ 	WRITE_NODE_FIELD(securityQuals);
  }
  
  static void
diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c
new file mode 100644
index 216d75e..ef1eae9
*** a/src/backend/nodes/readfuncs.c
--- b/src/backend/nodes/readfuncs.c
*************** _readRangeTblEntry(void)
*** 1252,1257 ****
--- 1252,1258 ----
  	READ_OID_FIELD(checkAsUser);
  	READ_BITMAPSET_FIELD(selectedCols);
  	READ_BITMAPSET_FIELD(modifiedCols);
+ 	READ_NODE_FIELD(securityQuals);
  
  	READ_DONE();
  }
diff --git a/src/backend/optimizer/plan/planner.c b/src/backend/optimizer/plan/planner.c
new file mode 100644
index 35bda67..1beb6c8
*** a/src/backend/optimizer/plan/planner.c
--- b/src/backend/optimizer/plan/planner.c
*************** inheritance_planner(PlannerInfo *root)
*** 916,921 ****
--- 916,927 ----
  		subplan = grouping_planner(&subroot, 0.0 /* retrieve all tuples */ );
  
  		/*
+ 		 * Planning may have modified the query result relation (if there
+ 		 * were security barrier quals on the result RTE).
+ 		 */
+ 		appinfo->child_relid = subroot.parse->resultRelation;
+ 
+ 		/*
  		 * If this child rel was excluded by constraint exclusion, exclude it
  		 * from the result plan.
  		 */
*************** inheritance_planner(PlannerInfo *root)
*** 932,940 ****
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 			final_rtable = list_concat(final_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
--- 938,969 ----
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 		{
! 			List	   *tmp_rtable = NIL;
! 			ListCell   *cell1, *cell2;
! 
! 			/*
! 			 * Planning this new child may have turned some of the original
! 			 * RTEs into subqueries (if they had security barrier quals). If
! 			 * so, we want to use these in the final rtable.
! 			 */
! 			forboth(cell1, final_rtable, cell2, subroot.parse->rtable)
! 			{
! 				RangeTblEntry *rte1 = (RangeTblEntry *) lfirst(cell1);
! 				RangeTblEntry *rte2 = (RangeTblEntry *) lfirst(cell2);
! 
! 				if (rte1->rtekind == RTE_RELATION &&
! 					rte1->securityQuals != NIL &&
! 					rte2->rtekind == RTE_SUBQUERY)
! 					tmp_rtable = lappend(tmp_rtable, rte2);
! 				else
! 					tmp_rtable = lappend(tmp_rtable, rte1);
! 			}
! 
! 			final_rtable = list_concat(tmp_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
+ 		}
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
*************** grouping_planner(PlannerInfo *root, doub
*** 1163,1168 ****
--- 1192,1203 ----
  		tlist = preprocess_targetlist(root, tlist);
  
  		/*
+ 		 * Expand any rangetable entries that have security barrier quals.
+ 		 * This may add new security barrier subquery RTEs to the rangetable.
+ 		 */
+ 		expand_security_quals(root, tlist);
+ 
+ 		/*
  		 * Locate any window functions in the tlist.  (We don't need to look
  		 * anywhere else, since expressions used in ORDER BY will be in there
  		 * too.)  Note that they could all have been eliminated by constant
diff --git a/src/backend/optimizer/prep/Makefile b/src/backend/optimizer/prep/Makefile
new file mode 100644
index 86301bf..5195d9b
*** a/src/backend/optimizer/prep/Makefile
--- b/src/backend/optimizer/prep/Makefile
*************** subdir = src/backend/optimizer/prep
*** 12,17 ****
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
--- 12,17 ----
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o prepsecurity.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
new file mode 100644
index ...91a6e5d
*** a/src/backend/optimizer/prep/prepsecurity.c
--- b/src/backend/optimizer/prep/prepsecurity.c
***************
*** 0 ****
--- 1,457 ----
+ /*-------------------------------------------------------------------------
+  *
+  * prepsecurity.c
+  *	  Routines for preprocessing security barrier quals.
+  *
+  * Portions Copyright (c) 1996-2013, PostgreSQL Global Development Group
+  * Portions Copyright (c) 1994, Regents of the University of California
+  *
+  *
+  * IDENTIFICATION
+  *	  src/backend/optimizer/prep/prepsecurity.c
+  *
+  *-------------------------------------------------------------------------
+  */
+ #include "postgres.h"
+ 
+ #include "access/heapam.h"
+ #include "access/sysattr.h"
+ #include "catalog/heap.h"
+ #include "nodes/makefuncs.h"
+ #include "nodes/nodeFuncs.h"
+ #include "optimizer/prep.h"
+ #include "parser/analyze.h"
+ #include "parser/parsetree.h"
+ #include "rewrite/rewriteManip.h"
+ #include "utils/rel.h"
+ 
+ 
+ typedef struct
+ {
+ 	int			rt_index;		/* Index of security barrier RTE */
+ 	int			sublevels_up;	/* Current nesting depth */
+ 	Relation	rel;			/* RTE relation at rt_index */
+ 	List	   *targetlist;		/* Targetlist for new subquery RTE */
+ 	List	   *colnames;		/* Column names in subquery RTE */
+ 	List	   *vars_processed;	/* List of Vars already processed */
+ } security_barrier_replace_vars_context;
+ 
+ static void expand_security_qual(PlannerInfo *root, List *tlist, int rt_index,
+ 					 RangeTblEntry *rte, Node *qual);
+ 
+ static void security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context);
+ 
+ static bool security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context);
+ 
+ 
+ /*
+  * expand_security_quals -
+  *	  expands any security barrier quals on RTEs in the query rtable, turning
+  *	  them into security barrier subqueries.
+  *
+  * Any given RTE may have multiple security barrier quals in a list, from which
+  * we create a set of nested subqueries to isolate each security barrier from
+  * the others, providing protection against malicious user-defined security
+  * barriers.  The first security barrier qual in the list will be used in the
+  * innermost subquery.
+  */
+ void
+ expand_security_quals(PlannerInfo *root, List *tlist)
+ {
+ 	Query	   *parse = root->parse;
+ 	int			rt_index;
+ 	ListCell   *cell;
+ 
+ 	/*
+ 	 * Process each RTE in the rtable list.
+ 	 *
+ 	 * We only ever modify entries in place and append to the rtable, so it is
+ 	 * safe to use a foreach loop here.
+ 	 */
+ 	rt_index = 0;
+ 	foreach(cell, parse->rtable)
+ 	{
+ 		RangeTblEntry *rte = (RangeTblEntry *) lfirst(cell);
+ 
+ 		rt_index++;
+ 
+ 		if (rte->securityQuals == NIL)
+ 			continue;
+ 
+ 		/*
+ 		 * Ignore any RTEs that aren't used in the query (such RTEs may be
+ 		 * present for permissions checks).
+ 		 */
+ 		if (rt_index != parse->resultRelation &&
+ 			!rangeTableEntry_used((Node *) parse, rt_index, 0))
+ 			continue;
+ 
+ 		/*
+ 		 * If this RTE is the target then we need to make a copy of it before
+ 		 * expanding it.  The unexpanded copy will become the new target, and
+ 		 * the original RTE will be expanded to become the source of rows to
+ 		 * update/delete.
+ 		 */
+ 		if (rt_index == parse->resultRelation)
+ 		{
+ 			RangeTblEntry *newrte = copyObject(rte);
+ 			parse->rtable = lappend(parse->rtable, newrte);
+ 			parse->resultRelation = list_length(parse->rtable);
+ 
+ 			/*
+ 			 * Wipe out any copied security barrier quals on the new target to
+ 			 * prevent infinite recursion.
+ 			 */
+ 			newrte->securityQuals = NIL;
+ 
+ 			/*
+ 			 * There's no need to do permissions checks twice, so wipe out the
+ 			 * permissions info for the original RTE (we prefer to keep the
+ 			 * bits set on the result RTE).
+ 			 */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * For the most part, Vars referencing the original relation should
+ 			 * remain as they are, meaning that they pull OLD values from the
+ 			 * expanded RTE.  But in the RETURNING list and in any WITH CHECK
+ 			 * OPTION quals, we want such Vars to represent NEW values, so
+ 			 * change them to reference the new RTE.
+ 			 */
+ 			ChangeVarNodes((Node *) parse->returningList, rt_index,
+ 						   parse->resultRelation, 0);
+ 
+ 			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
+ 						   parse->resultRelation, 0);
+ 		}
+ 
+ 		/*
+ 		 * Process each security barrier qual in turn, starting with the
+ 		 * innermost one (the first in the list) and working outwards.
+ 		 *
+ 		 * We remove each qual from the list before processing it, so that its
+ 		 * variables aren't modified by expand_security_qual.  Also we don't
+ 		 * necessarily want the attributes referred to by the qual to be
+ 		 * exposed by the newly built subquery.
+ 		 */
+ 		while (rte->securityQuals != NIL)
+ 		{
+ 			Node   *qual = (Node *) linitial(rte->securityQuals);
+ 			rte->securityQuals = list_delete_first(rte->securityQuals);
+ 
+ 			ChangeVarNodes(qual, rt_index, 1, 0);
+ 			expand_security_qual(root, tlist, rt_index, rte, qual);
+ 		}
+ 	}
+ }
+ 
+ 
+ /*
+  * expand_security_qual -
+  *	  expand the specified security barrier qual on a query RTE, turning the
+  *	  RTE into a security barrier subquery.
+  */
+ static void
+ expand_security_qual(PlannerInfo *root, List *tlist, int rt_index,
+ 					 RangeTblEntry *rte, Node *qual)
+ {
+ 	Query		   *parse = root->parse;
+ 	Oid				relid = rte->relid;
+ 	Query		   *subquery;
+ 	RangeTblEntry  *subrte;
+ 	RangeTblRef	   *subrtr;
+ 	PlanRowMark	   *rc;
+ 	security_barrier_replace_vars_context context;
+ 	ListCell	   *cell;
+ 
+ 	/*
+ 	 * There should only be 2 possible cases:
+ 	 *
+ 	 * 1. A relation RTE, which we turn into a subquery RTE containing all
+ 	 * referenced columns.
+ 	 *
+ 	 * 2. A subquery RTE (either from a prior call to this function or from an
+ 	 * expanded view).  In this case we build a new subquery on top of it to
+ 	 * isolate this security barrier qual from any other quals.
+ 	 */
+ 	switch (rte->rtekind)
+ 	{
+ 		case RTE_RELATION:
+ 			/*
+ 			 * Turn the relation RTE into a security barrier subquery RTE,
+ 			 * moving all permissions checks down into the subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 
+ 			subrte = copyObject(rte);
+ 			subrte->inFromCl = true;
+ 			subrte->securityQuals = NIL;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->rtekind = RTE_SUBQUERY;
+ 			rte->relid = InvalidOid;
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 			rte->inh = false;			/* must not be set for a subquery */
+ 
+ 			/* the permissions checks have now been moved down */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * Now deal with any PlanRowMark on this RTE by requesting a lock
+ 			 * of the same strength on the RTE copied down to the subquery.
+ 			 */
+ 			rc = get_plan_rowmark(root->rowMarks, rt_index);
+ 			if (rc != NULL)
+ 			{
+ 				switch (rc->markType)
+ 				{
+ 					case ROW_MARK_EXCLUSIVE:
+ 						applyLockingClause(subquery, 1, LCS_FORUPDATE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_NOKEYEXCLUSIVE:
+ 						applyLockingClause(subquery, 1, LCS_FORNOKEYUPDATE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_SHARE:
+ 						applyLockingClause(subquery, 1, LCS_FORSHARE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_KEYSHARE:
+ 						applyLockingClause(subquery, 1, LCS_FORKEYSHARE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_REFERENCE:
+ 					case ROW_MARK_COPY:
+ 						/* No locking needed */
+ 						break;
+ 				}
+ 				root->rowMarks = list_delete(root->rowMarks, rc);
+ 			}
+ 
+ 			/*
+ 			 * Replace any variables in the outer query that refer to the
+ 			 * original relation RTE with references to columns that we will
+ 			 * expose in the new subquery, building the subquery's targetlist
+ 			 * as we go.
+ 			 */
+ 			context.rt_index = rt_index;
+ 			context.sublevels_up = 0;
+ 			context.rel = heap_open(relid, NoLock);
+ 			context.targetlist = NIL;
+ 			context.colnames = NIL;
+ 			context.vars_processed = NIL;
+ 
+ 			security_barrier_replace_vars((Node *) parse, &context);
+ 			security_barrier_replace_vars((Node *) tlist, &context);
+ 
+ 			heap_close(context.rel, NoLock);
+ 
+ 			/* Now we know what columns the subquery needs to expose */
+ 			rte->subquery->targetList = context.targetlist;
+ 			rte->eref = makeAlias(rte->eref->aliasname, context.colnames);
+ 
+ 			break;
+ 
+ 		case RTE_SUBQUERY:
+ 			/*
+ 			 * Build a new subquery that includes all the same columns as the
+ 			 * original subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 			subquery->targetList = NIL;
+ 
+ 			foreach(cell, rte->subquery->targetList)
+ 			{
+ 				TargetEntry	   *tle;
+ 				Var			   *var;
+ 
+ 				tle = (TargetEntry *) lfirst(cell);
+ 				var = makeVarFromTargetEntry(1, tle);
+ 
+ 				tle = makeTargetEntry((Expr *) var,
+ 									  list_length(subquery->targetList) + 1,
+ 									  pstrdup(tle->resname),
+ 									  tle->resjunk);
+ 				subquery->targetList = lappend(subquery->targetList, tle);
+ 			}
+ 
+ 			subrte = makeNode(RangeTblEntry);
+ 			subrte->rtekind = RTE_SUBQUERY;
+ 			subrte->subquery = rte->subquery;
+ 			subrte->security_barrier = rte->security_barrier;
+ 			subrte->eref = copyObject(rte->eref);
+ 			subrte->inFromCl = true;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 
+ 			break;
+ 
+ 		default:
+ 			elog(ERROR, "invalid range table entry for security barrier qual");
+ 	}
+ }
+ 
+ 
+ /*
+  * security_barrier_replace_vars -
+  *	  Apply security barrier variable replacement to an expression tree.
+  *
+  * This also builds/updates a targetlist with entries for each replacement
+  * variable that needs to be exposed by the security barrier subquery RTE.
+  *
+  * NOTE: although this has the form of a walker, we cheat and modify the
+  * nodes in-place.	The given expression tree should have been copied
+  * earlier to ensure that no unwanted side-effects occur!
+  */
+ static void
+ security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context)
+ {
+ 	/*
+ 	 * Must be prepared to start with a Query or a bare expression tree; if
+ 	 * it's a Query, go straight to query_tree_walker to make sure that
+ 	 * sublevels_up doesn't get incremented prematurely.
+ 	 */
+ 	if (node && IsA(node, Query))
+ 		query_tree_walker((Query *) node,
+ 						  security_barrier_replace_vars_walker,
+ 						  (void *) context, 0);
+ 	else
+ 		security_barrier_replace_vars_walker(node, context);
+ }
+ 
+ static bool
+ security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context)
+ {
+ 	if (node == NULL)
+ 		return false;
+ 	if (IsA(node, Var))
+ 	{
+ 		Var		   *var = (Var *) node;
+ 
+ 		/*
+ 		 * Note that the same Var may be present in different lists, so we
+ 		 * need to take care not to process it multiple times.
+ 		 */
+ 		if (var->varno == context->rt_index &&
+ 			var->varlevelsup == context->sublevels_up &&
+ 			!list_member_ptr(context->vars_processed, var))
+ 		{
+ 			/*
+ 			 * Found a matching variable. Make sure that it is in the subquery
+ 			 * targetlist and map its attno accordingly.
+ 			 */
+ 			AttrNumber	attno;
+ 			ListCell   *l;
+ 			TargetEntry *tle;
+ 			char	   *attname;
+ 			Var		   *newvar;
+ 
+ 			/* Search for the base attribute in the subquery targetlist */
+ 			attno = InvalidAttrNumber;
+ 			foreach(l, context->targetlist)
+ 			{
+ 				tle = (TargetEntry *) lfirst(l);
+ 				attno++;
+ 
+ 				Assert(IsA(tle->expr, Var));
+ 				if (((Var *) tle->expr)->varattno == var->varattno &&
+ 					((Var *) tle->expr)->varcollid == var->varcollid)
+ 				{
+ 					/* Map the variable onto this subquery targetlist entry */
+ 					var->varattno = attno;
+ 					return false;
+ 				}
+ 			}
+ 
+ 			/* Not in the subquery targetlist, so add it. Get its name. */
+ 			if (var->varattno < 0)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = SystemAttributeDefinition(var->varattno,
+ 													context->rel->rd_rel->relhasoids);
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else if (var->varattno == InvalidAttrNumber)
+ 			{
+ 				attname = "wholerow";
+ 			}
+ 			else if (var->varattno <= context->rel->rd_att->natts)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = context->rel->rd_att->attrs[var->varattno - 1];
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else
+ 			{
+ 				elog(ERROR, "invalid attribute number %d in security_barrier_replace_vars", var->varattno);
+ 			}
+ 
+ 			/* New variable for subquery targetlist */
+ 			newvar = copyObject(var);
+ 			newvar->varno = 1;
+ 
+ 			attno = list_length(context->targetlist) + 1;
+ 			tle = makeTargetEntry((Expr *) newvar,
+ 								  attno,
+ 								  pstrdup(attname),
+ 								  false);
+ 
+ 			context->targetlist = lappend(context->targetlist, tle);
+ 
+ 			context->colnames = lappend(context->colnames,
+ 										makeString(pstrdup(attname)));
+ 
+ 			/* Update the outer query's variable */
+ 			var->varattno = attno;
+ 
+ 			/* Remember this Var so that we don't process it again */
+ 			context->vars_processed = lappend(context->vars_processed, var);
+ 		}
+ 		return false;
+ 	}
+ 
+ 	if (IsA(node, Query))
+ 	{
+ 		/* Recurse into subselects */
+ 		bool		result;
+ 
+ 		context->sublevels_up++;
+ 		result = query_tree_walker((Query *) node,
+ 								   security_barrier_replace_vars_walker,
+ 								   (void *) context, 0);
+ 		context->sublevels_up--;
+ 		return result;
+ 	}
+ 	return expression_tree_walker(node, security_barrier_replace_vars_walker,
+ 								  (void *) context);
+ }
diff --git a/src/backend/optimizer/prep/prepunion.c b/src/backend/optimizer/prep/prepunion.c
new file mode 100644
index 52dcc72..c7e0199
*** a/src/backend/optimizer/prep/prepunion.c
--- b/src/backend/optimizer/prep/prepunion.c
*************** typedef struct
*** 55,60 ****
--- 55,61 ----
  {
  	PlannerInfo *root;
  	AppendRelInfo *appinfo;
+ 	int			sublevels_up;
  } adjust_appendrel_attrs_context;
  
  static Plan *recurse_set_operations(Node *setOp, PlannerInfo *root,
*************** translate_col_privs(const Bitmapset *par
*** 1580,1587 ****
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is only applied after conversion of sublinks to subplans,
!  * so we don't need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
--- 1581,1589 ----
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is applied after conversion of sublinks to subplans in the
!  * query jointree, but there may still be sublinks in the security barrier
!  * quals of RTEs, so we do need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
*************** adjust_appendrel_attrs(PlannerInfo *root
*** 1594,1602 ****
  
  	context.root = root;
  	context.appinfo = appinfo;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree.
  	 */
  	if (node && IsA(node, Query))
  	{
--- 1596,1607 ----
  
  	context.root = root;
  	context.appinfo = appinfo;
+ 	context.sublevels_up = 0;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree; if
! 	 * it's a Query, go straight to query_tree_walker to make sure that
! 	 * sublevels_up doesn't get incremented prematurely.
  	 */
  	if (node && IsA(node, Query))
  	{
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1635,1641 ****
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == 0 &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
--- 1640,1646 ----
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == context->sublevels_up &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1652,1657 ****
--- 1657,1663 ----
  				if (newnode == NULL)
  					elog(ERROR, "attribute %d of relation \"%s\" does not exist",
  						 var->varattno, get_rel_name(appinfo->parent_reloid));
+ 				((Var *) newnode)->varlevelsup += context->sublevels_up;
  				return newnode;
  			}
  			else if (var->varattno == 0)
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1694,1703 ****
--- 1700,1715 ----
  					RowExpr    *rowexpr;
  					List	   *fields;
  					RangeTblEntry *rte;
+ 					ListCell   *lc;
  
  					rte = rt_fetch(appinfo->parent_relid,
  								   context->root->parse->rtable);
  					fields = (List *) copyObject(appinfo->translated_vars);
+ 					foreach(lc, fields)
+ 					{
+ 						Var		   *field = (Var *) lfirst(lc);
+ 						field->varlevelsup += context->sublevels_up;
+ 					}
  					rowexpr = makeNode(RowExpr);
  					rowexpr->args = fields;
  					rowexpr->row_typeid = var->vartype;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1716,1722 ****
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
--- 1728,1735 ----
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1724,1730 ****
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
--- 1737,1744 ----
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1737,1743 ****
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
--- 1751,1758 ----
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (context->sublevels_up == 0 &&
! 			j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1750,1756 ****
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == 0)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
--- 1765,1771 ----
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == context->sublevels_up)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1822,1833 ****
  		return (Node *) newinfo;
  	}
  
! 	/*
! 	 * NOTE: we do not need to recurse into sublinks, because they should
! 	 * already have been converted to subplans before we see them.
! 	 */
! 	Assert(!IsA(node, SubLink));
! 	Assert(!IsA(node, Query));
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
--- 1837,1862 ----
  		return (Node *) newinfo;
  	}
  
! 	if (IsA(node, Query))
! 	{
! 		/*
! 		 * Recurse into sublink subqueries. This should only be possible in
! 		 * security barrier quals of top-level RTEs. All other sublinks should
! 		 * have already been converted to subplans during expression
! 		 * preprocessing, but this doesn't happen for security barrier quals,
! 		 * since they are destined to become quals of a subquery RTE, which
! 		 * will be recursively planned, and so should not be preprocessed at
! 		 * this stage.
! 		 */
! 		Query	   *newnode;
! 
! 		context->sublevels_up++;
! 		newnode = query_tree_mutator((Query *) node,
! 									 adjust_appendrel_attrs_mutator,
! 									 (void *) context, 0);
! 		context->sublevels_up--;
! 		return (Node *) newnode;
! 	}
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
new file mode 100644
index 0b13645..370b5aa
*** a/src/backend/rewrite/rewriteHandler.c
--- b/src/backend/rewrite/rewriteHandler.c
*************** view_col_is_auto_updatable(RangeTblRef *
*** 1973,1980 ****
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
! 							 bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
--- 1973,1979 ----
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
*************** view_query_is_auto_updatable(Query *view
*** 2048,2061 ****
  		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
  
  	/*
- 	 * For now, we also don't support security-barrier views, because of the
- 	 * difficulty of keeping upper-level qual expressions away from
- 	 * lower-level data.  This might get relaxed in the future.
- 	 */
- 	if (security_barrier)
- 		return gettext_noop("Security-barrier views are not automatically updatable.");
- 
- 	/*
  	 * The view query should select from a single base relation, which must be
  	 * a table or another view.
  	 */
--- 2047,2052 ----
*************** relation_is_updatable(Oid reloid,
*** 2303,2311 ****
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery,
! 										 RelationIsSecurityView(rel),
! 										 false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
--- 2294,2300 ----
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery, false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
*************** rewriteTargetView(Query *parsetree, Rela
*** 2460,2466 ****
  
  	auto_update_detail =
  		view_query_is_auto_updatable(viewquery,
- 									 RelationIsSecurityView(view),
  									 parsetree->commandType != CMD_DELETE);
  
  	if (auto_update_detail)
--- 2449,2454 ----
*************** rewriteTargetView(Query *parsetree, Rela
*** 2664,2669 ****
--- 2652,2665 ----
  												   view_targetlist);
  
  	/*
+ 	 * Move any security barrier quals from the view RTE onto the new target
+ 	 * RTE.  Any such quals should now apply to the new target RTE and will not
+ 	 * reference the original view RTE in the rewritten query.
+ 	 */
+ 	new_rte->securityQuals = view_rte->securityQuals;
+ 	view_rte->securityQuals = NIL;
+ 
+ 	/*
  	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
  	 * TLE for the view to the end of the targetlist, which we no longer need.
  	 * Remove it to avoid unnecessary work when we process the targetlist.
*************** rewriteTargetView(Query *parsetree, Rela
*** 2743,2748 ****
--- 2739,2748 ----
  	 * only adjust their varnos to reference the new target (just the same as
  	 * we did with the view targetlist).
  	 *
+ 	 * Note that there is special-case handling for the quals of a security
+ 	 * barrier view, since they need to be kept separate from any user-supplied
+ 	 * quals, so these quals are kept on the new target RTE.
+ 	 *
  	 * For INSERT, the view's quals can be ignored in the main query.
  	 */
  	if (parsetree->commandType != CMD_INSERT &&
*************** rewriteTargetView(Query *parsetree, Rela
*** 2751,2757 ****
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 		AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
--- 2751,2775 ----
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 
! 		if (RelationIsSecurityView(view))
! 		{
! 			/*
! 			 * Note: the parsetree has been mutated, so the new_rte pointer is
! 			 * stale and needs to be re-computed.
! 			 */
! 			new_rte = rt_fetch(new_rt_index, parsetree->rtable);
! 			new_rte->securityQuals = lcons(viewqual, new_rte->securityQuals);
! 
! 			/*
! 			 * Make sure that the query is marked correctly if the added qual
! 			 * has sublinks.
! 			 */
! 			if (!parsetree->hasSubLinks)
! 				parsetree->hasSubLinks = checkExprHasSubLink(viewqual);
! 		}
! 		else
! 			AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
*************** rewriteTargetView(Query *parsetree, Rela
*** 2813,2821 ****
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added to the
! 				 * query's WHERE clause, and AddQual will have already done
! 				 * this check.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
--- 2831,2838 ----
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added, and this
! 				 * check will already have been done.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
new file mode 100644
index ad58b39..1f9083c
*** a/src/include/nodes/parsenodes.h
--- b/src/include/nodes/parsenodes.h
*************** typedef struct RangeTblEntry
*** 801,806 ****
--- 801,807 ----
  	Oid			checkAsUser;	/* if valid, check access as this role */
  	Bitmapset  *selectedCols;	/* columns needing SELECT permission */
  	Bitmapset  *modifiedCols;	/* columns needing INSERT/UPDATE permission */
+ 	List	   *securityQuals;	/* any security barrier quals to apply */
  } RangeTblEntry;
  
  /*
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
new file mode 100644
index 0f5a7d3..f5fc7e8
*** a/src/include/optimizer/prep.h
--- b/src/include/optimizer/prep.h
*************** extern Node *negate_clause(Node *node);
*** 36,41 ****
--- 36,46 ----
  extern Expr *canonicalize_qual(Expr *qual);
  
  /*
+  * prototypes for prepsecurity.c
+  */
+ extern void expand_security_quals(PlannerInfo *root, List *tlist);
+ 
+ /*
   * prototypes for preptlist.c
   */
  extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
new file mode 100644
index e4027bd..8da0af5
*** a/src/include/rewrite/rewriteHandler.h
--- b/src/include/rewrite/rewriteHandler.h
*************** extern void AcquireRewriteLocks(Query *p
*** 23,29 ****
  extern Node *build_column_default(Relation rel, int attrno);
  extern Query *get_view_query(Relation view);
  extern const char *view_query_is_auto_updatable(Query *viewquery,
- 										 bool security_barrier,
  										 bool check_cols);
  extern int	relation_is_updatable(Oid reloid,
  						  bool include_triggers,
--- 23,28 ----
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
new file mode 100644
index 91d1639..f6db582
*** a/src/test/regress/expected/create_view.out
--- b/src/test/regress/expected/create_view.out
*************** CREATE VIEW mysecview4 WITH (security_ba
*** 252,258 ****
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  security_barrier requires a Boolean value
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
--- 252,258 ----
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  invalid value for boolean option "security_barrier": 100
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
new file mode 100644
index 99c9165..261b0c5
*** a/src/test/regress/expected/updatable_views.out
--- b/src/test/regress/expected/updatable_views.out
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 22,33 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
--- 22,31 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
*************** SELECT table_name, is_insertable_into
*** 44,50 ****
   ro_view19  | NO
   ro_view2   | NO
   ro_view20  | NO
-  ro_view21  | NO
   ro_view3   | NO
   ro_view4   | NO
   ro_view5   | NO
--- 42,47 ----
*************** SELECT table_name, is_insertable_into
*** 55,61 ****
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (21 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
--- 52,58 ----
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (20 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
*************** SELECT table_name, is_updatable, is_inse
*** 73,79 ****
   ro_view19  | NO           | NO
   ro_view2   | NO           | NO
   ro_view20  | NO           | NO
-  ro_view21  | NO           | NO
   ro_view3   | NO           | NO
   ro_view4   | NO           | NO
   ro_view5   | NO           | NO
--- 70,75 ----
*************** SELECT table_name, is_updatable, is_inse
*** 84,90 ****
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (21 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
--- 80,86 ----
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (20 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
*************** SELECT table_name, column_name, is_updat
*** 103,125 ****
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view18  | b             | NO
!  ro_view19  | a             | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | sequence_name | NO
!  ro_view20  | last_value    | NO
!  ro_view20  | start_value   | NO
!  ro_view20  | increment_by  | NO
!  ro_view20  | max_value     | NO
!  ro_view20  | min_value     | NO
!  ro_view20  | cache_value   | NO
!  ro_view20  | log_cnt       | NO
!  ro_view20  | is_cycled     | NO
!  ro_view20  | is_called     | NO
!  ro_view21  | a             | NO
!  ro_view21  | b             | NO
!  ro_view21  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
--- 99,119 ----
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view19  | sequence_name | NO
!  ro_view19  | last_value    | NO
!  ro_view19  | start_value   | NO
!  ro_view19  | increment_by  | NO
!  ro_view19  | max_value     | NO
!  ro_view19  | min_value     | NO
!  ro_view19  | cache_value   | NO
!  ro_view19  | log_cnt       | NO
!  ro_view19  | is_cycled     | NO
!  ro_view19  | is_called     | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | a             | NO
!  ro_view20  | b             | NO
!  ro_view20  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
*************** SELECT table_name, column_name, is_updat
*** 140,146 ****
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (48 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
--- 134,140 ----
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (46 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
*************** INSERT INTO ro_view17 VALUES (3, 'ROW 3'
*** 268,291 ****
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! ERROR:  cannot insert into view "ro_view18"
! DETAIL:  Security-barrier views are not automatically updatable.
! HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view19;
! ERROR:  cannot delete from view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view20 SET max_value=1000;
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view21 SET b=upper(b);
! ERROR:  cannot update view "ro_view21"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 17 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
--- 262,281 ----
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view18;
! ERROR:  cannot delete from view "ro_view18"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view19 SET max_value=1000;
! ERROR:  cannot update view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view20 SET b=upper(b);
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 16 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
*************** drop cascades to view ro_view11
*** 299,311 ****
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view18
! drop cascades to view ro_view21
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view20
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
--- 289,300 ----
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view20
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view19
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
*************** DROP TABLE base_tbl CASCADE;
*** 1740,1742 ****
--- 1729,1987 ----
  NOTICE:  drop cascades to 2 other objects
  DETAIL:  drop cascades to view rw_view1
  drop cascades to view rw_view2
+ -- security barrier view
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view1   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view1   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view1   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+                   QUERY PLAN                   
+ -----------------------------------------------
+  Subquery Scan on rw_view1
+    Filter: snoop(rw_view1.person)
+    ->  Seq Scan on base_tbl
+          Filter: (visibility = 'public'::text)
+ (4 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ -- security barrier view on top of security barrier view
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view2   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view2   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view2   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Subquery Scan on rw_view2
+    Filter: snoop(rw_view2.person)
+    ->  Subquery Scan on rw_view1
+          Filter: snoop(rw_view1.person)
+          ->  Seq Scan on base_tbl
+                Filter: (visibility = 'public'::text)
+ (6 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to 2 other objects
+ DETAIL:  drop cascades to view rw_view1
+ drop cascades to view rw_view2
+ -- security barrier view on top of table with rules
+ CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+ INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+ CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+   WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+   DO INSTEAD
+     UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+ CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+   DO INSTEAD
+     UPDATE base_tbl SET deleted = true WHERE id = old.id;
+ CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+   SELECT id, data FROM base_tbl WHERE NOT deleted;
+ SELECT * FROM rw_view1;
+  id | data  
+ ----+-------
+   1 | Row 1
+ (1 row)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+                                QUERY PLAN                                
+ -------------------------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Nested Loop
+          ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_1
+                Index Cond: (id = 1)
+          ->  Subquery Scan on base_tbl
+                Filter: snoop(base_tbl.data)
+                ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_2
+                      Index Cond: (id = 1)
+                      Filter: (NOT deleted)
+ (9 rows)
+ 
+ DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ NOTICE:  snooped value: Row 1
+ EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Insert on base_tbl
+    InitPlan 1 (returns $0)
+      ->  Index Only Scan using base_tbl_pkey on base_tbl t
+            Index Cond: (id = 2)
+    ->  Result
+          One-Time Filter: ($0 IS NOT TRUE)
+  
+  Update on base_tbl
+    InitPlan 1 (returns $0)
+      ->  Index Only Scan using base_tbl_pkey on base_tbl t
+            Index Cond: (id = 2)
+    ->  Result
+          One-Time Filter: $0
+          ->  Index Scan using base_tbl_pkey on base_tbl
+                Index Cond: (id = 2)
+ (15 rows)
+ 
+ INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ SELECT * FROM base_tbl;
+  id |   data    | deleted 
+ ----+-----------+---------
+   1 | Row 1     | t
+   2 | New row 2 | f
+ (2 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to view rw_view1
diff --git a/src/test/regress/sql/updatable_views.sql b/src/test/regress/sql/updatable_views.sql
new file mode 100644
index a77cf19..08f7504
*** a/src/test/regress/sql/updatable_views.sql
--- b/src/test/regress/sql/updatable_views.sql
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 25,36 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
--- 25,34 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
*************** SELECT * FROM base_tbl;
*** 87,99 ****
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! DELETE FROM ro_view19;
! UPDATE ro_view20 SET max_value=1000;
! UPDATE ro_view21 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
--- 85,96 ----
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! DELETE FROM ro_view18;
! UPDATE ro_view19 SET max_value=1000;
! UPDATE ro_view20 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
*************** CREATE VIEW rw_view2 AS
*** 828,830 ****
--- 825,931 ----
    SELECT * FROM rw_view1 WHERE a > b WITH LOCAL CHECK OPTION;
  INSERT INTO rw_view2 VALUES (2,3); -- ok, but not in view (doesn't fail rw_view2's check)
  DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view
+ 
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ 
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ 
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ -- security barrier view on top of security barrier view
+ 
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view on top of table with rules
+ 
+ CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+ INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+ 
+ CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+   WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+   DO INSTEAD
+     UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+ 
+ CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+   DO INSTEAD
+     UPDATE base_tbl SET deleted = true WHERE id = old.id;
+ 
+ CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+   SELECT id, data FROM base_tbl WHERE NOT deleted;
+ 
+ SELECT * FROM rw_view1;
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ 
+ EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ 
+ SELECT * FROM base_tbl;
+ 
+ DROP TABLE base_tbl CASCADE;

diff --git a/doc/src/sgml/ref/create_view.sgml b/doc/src/sgml/ref/create_view.sgml
new file mode 100644
index 57bfae3..3224d9f 100644
*** a/doc/src/sgml/ref/create_view.sgml
--- b/doc/src/sgml/ref/create_view.sgml
*************** CREATE VIEW vista AS SELECT text 'Hello
*** 323,334 ****
         or set-returning functions.
        </para>
       </listitem>
- 
-      <listitem>
-       <para>
-        The view must not have the <literal>security_barrier</> property.
-       </para>
-      </listitem>
      </itemizedlist>
     </para>
  
--- 323,328 ----
*************** CREATE VIEW vista AS SELECT text 'Hello
*** 362,367 ****
--- 356,373 ----
     </para>
  
     <para>
+     If an automatically updatable view is marked with the
+     <literal>security_barrier</> property then all the view's <literal>WHERE</>
+     conditions (and any conditions using operators which are marked as LEAKPROOF)
+     will always be evaluated before any conditions that a user of the view has
+     added.   See <xref linkend="rules-privileges"> for full details.  Note that,
+     due to this, rows which are not ultimately returned (because they do not
+     pass the user's <literal>WHERE</> conditions) may still end up being locked.
+     <command>EXPLAIN</command> can be used to see which conditions are
+     applied before the LockRows and which are not, for a given query.
+    </para>
+ 
+    <para>
      A more complex view that does not satisfy all these conditions is
      read-only by default: the system will not allow an insert, update, or
      delete on the view.  You can get the effect of an updatable view by
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
new file mode 100644
index 8f9e5e5..f5ae98f 100644
*** a/src/backend/commands/tablecmds.c
--- b/src/backend/commands/tablecmds.c
*************** ATExecSetRelOptions(Relation rel, List *
*** 8910,8916 ****
  		List	   *view_options = untransformRelOptions(newOptions);
  		ListCell   *cell;
  		bool		check_option = false;
- 		bool		security_barrier = false;
  
  		foreach(cell, view_options)
  		{
--- 8910,8915 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8918,8925 ****
  
  			if (pg_strcasecmp(defel->defname, "check_option") == 0)
  				check_option = true;
- 			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 				security_barrier = defGetBoolean(defel);
  		}
  
  		/*
--- 8917,8922 ----
*************** ATExecSetRelOptions(Relation rel, List *
*** 8929,8936 ****
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query,
! 											 security_barrier, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
--- 8926,8932 ----
  		if (check_option)
  		{
  			const char *view_updatable_error =
! 				view_query_is_auto_updatable(view_query, true);
  
  			if (view_updatable_error)
  				ereport(ERROR,
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
new file mode 100644
index 1735762..bc08566 100644
*** a/src/backend/commands/view.c
--- b/src/backend/commands/view.c
*************** DefineView(ViewStmt *stmt, const char *q
*** 396,402 ****
  	RangeVar   *view;
  	ListCell   *cell;
  	bool		check_option;
- 	bool		security_barrier;
  
  	/*
  	 * Run parse analysis to convert the raw parse tree to a Query.  Note this
--- 396,401 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 451,457 ****
  	 * specified.
  	 */
  	check_option = false;
- 	security_barrier = false;
  
  	foreach(cell, stmt->options)
  	{
--- 450,455 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 459,466 ****
  
  		if (pg_strcasecmp(defel->defname, "check_option") == 0)
  			check_option = true;
- 		if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
- 			security_barrier = defGetBoolean(defel);
  	}
  
  	/*
--- 457,462 ----
*************** DefineView(ViewStmt *stmt, const char *q
*** 470,476 ****
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, security_barrier, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
--- 466,472 ----
  	if (check_option)
  	{
  		const char *view_updatable_error =
! 			view_query_is_auto_updatable(viewParse, true);
  
  		if (view_updatable_error)
  			ereport(ERROR,
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
new file mode 100644
index c89d808..98ad910 100644
*** a/src/backend/nodes/copyfuncs.c
--- b/src/backend/nodes/copyfuncs.c
*************** _copyRangeTblEntry(const RangeTblEntry *
*** 1998,2003 ****
--- 1998,2004 ----
  	COPY_SCALAR_FIELD(checkAsUser);
  	COPY_BITMAPSET_FIELD(selectedCols);
  	COPY_BITMAPSET_FIELD(modifiedCols);
+ 	COPY_NODE_FIELD(securityQuals);
  
  	return newnode;
  }
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
new file mode 100644
index 9793cf5..9901d23 100644
*** a/src/backend/nodes/equalfuncs.c
--- b/src/backend/nodes/equalfuncs.c
*************** _equalRangeTblEntry(const RangeTblEntry
*** 2296,2301 ****
--- 2296,2302 ----
  	COMPARE_SCALAR_FIELD(checkAsUser);
  	COMPARE_BITMAPSET_FIELD(selectedCols);
  	COMPARE_BITMAPSET_FIELD(modifiedCols);
+ 	COMPARE_NODE_FIELD(securityQuals);
  
  	return true;
  }
diff --git a/src/backend/nodes/nodeFuncs.c b/src/backend/nodes/nodeFuncs.c
new file mode 100644
index 123f2a6..1e48a7f 100644
*** a/src/backend/nodes/nodeFuncs.c
--- b/src/backend/nodes/nodeFuncs.c
*************** range_table_walker(List *rtable,
*** 2020,2025 ****
--- 2020,2028 ----
  					return true;
  				break;
  		}
+ 
+ 		if (walker(rte->securityQuals, context))
+ 			return true;
  	}
  	return false;
  }
*************** range_table_mutator(List *rtable,
*** 2755,2760 ****
--- 2758,2764 ----
  				MUTATE(newrte->values_lists, rte->values_lists, List *);
  				break;
  		}
+ 		MUTATE(newrte->securityQuals, rte->securityQuals, List *);
  		newrt = lappend(newrt, newrte);
  	}
  	return newrt;
diff --git a/src/backend/nodes/outfuncs.c b/src/backend/nodes/outfuncs.c
new file mode 100644
index bfb4b9f..10e8139 100644
*** a/src/backend/nodes/outfuncs.c
--- b/src/backend/nodes/outfuncs.c
*************** _outRangeTblEntry(StringInfo str, const
*** 2409,2414 ****
--- 2409,2415 ----
  	WRITE_OID_FIELD(checkAsUser);
  	WRITE_BITMAPSET_FIELD(selectedCols);
  	WRITE_BITMAPSET_FIELD(modifiedCols);
+ 	WRITE_NODE_FIELD(securityQuals);
  }
  
  static void
diff --git a/src/backend/nodes/readfuncs.c b/src/backend/nodes/readfuncs.c
new file mode 100644
index 216d75e..ef1eae9 100644
*** a/src/backend/nodes/readfuncs.c
--- b/src/backend/nodes/readfuncs.c
*************** _readRangeTblEntry(void)
*** 1252,1257 ****
--- 1252,1258 ----
  	READ_OID_FIELD(checkAsUser);
  	READ_BITMAPSET_FIELD(selectedCols);
  	READ_BITMAPSET_FIELD(modifiedCols);
+ 	READ_NODE_FIELD(securityQuals);
  
  	READ_DONE();
  }
diff --git a/src/backend/optimizer/plan/planner.c b/src/backend/optimizer/plan/planner.c
new file mode 100644
index 35bda67..0508d16 100644
*** a/src/backend/optimizer/plan/planner.c
--- b/src/backend/optimizer/plan/planner.c
*************** inheritance_planner(PlannerInfo *root)
*** 916,921 ****
--- 916,927 ----
  		subplan = grouping_planner(&subroot, 0.0 /* retrieve all tuples */ );
  
  		/*
+ 		 * Planning may have modified the query result relation (if there
+ 		 * were security barrier quals on the result RTE).
+ 		 */
+ 		appinfo->child_relid = subroot.parse->resultRelation;
+ 
+ 		/*
  		 * If this child rel was excluded by constraint exclusion, exclude it
  		 * from the result plan.
  		 */
*************** inheritance_planner(PlannerInfo *root)
*** 932,940 ****
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 			final_rtable = list_concat(final_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
--- 938,977 ----
  		if (final_rtable == NIL)
  			final_rtable = subroot.parse->rtable;
  		else
! 		{
! 			List	   *tmp_rtable = NIL;
! 			ListCell   *cell1, *cell2;
! 
! 			/*
! 			 * Check to see if any of the original RTEs were turned into
! 			 * subqueries during planning.  Currently, this should only ever
! 			 * happen due to securityQuals being involved which push a
! 			 * relation down under a subquery, to ensure that the security
! 			 * barrier quals are evaluated first.
! 			 *
! 			 * When this happens, we want to use the new subqueries in the
! 			 * final rtable.
! 			 */
! 			forboth(cell1, final_rtable, cell2, subroot.parse->rtable)
! 			{
! 				RangeTblEntry *rte1 = (RangeTblEntry *) lfirst(cell1);
! 				RangeTblEntry *rte2 = (RangeTblEntry *) lfirst(cell2);
! 
! 				if (rte1->rtekind == RTE_RELATION &&
! 					rte2->rtekind == RTE_SUBQUERY)
! 				{
! 					/* Should only be when there are securityQuals today */
! 					Assert(rte1->securityQuals != NIL);
! 					tmp_rtable = lappend(tmp_rtable, rte2);
! 				}
! 				else
! 					tmp_rtable = lappend(tmp_rtable, rte1);
! 			}
! 
! 			final_rtable = list_concat(tmp_rtable,
  									   list_copy_tail(subroot.parse->rtable,
  												 list_length(final_rtable)));
+ 		}
  
  		/*
  		 * We need to collect all the RelOptInfos from all child plans into
*************** grouping_planner(PlannerInfo *root, doub
*** 1163,1168 ****
--- 1200,1211 ----
  		tlist = preprocess_targetlist(root, tlist);
  
  		/*
+ 		 * Expand any rangetable entries that have security barrier quals.
+ 		 * This may add new security barrier subquery RTEs to the rangetable.
+ 		 */
+ 		expand_security_quals(root, tlist);
+ 
+ 		/*
  		 * Locate any window functions in the tlist.  (We don't need to look
  		 * anywhere else, since expressions used in ORDER BY will be in there
  		 * too.)  Note that they could all have been eliminated by constant
diff --git a/src/backend/optimizer/prep/Makefile b/src/backend/optimizer/prep/Makefile
new file mode 100644
index 86301bf..5195d9b 100644
*** a/src/backend/optimizer/prep/Makefile
--- b/src/backend/optimizer/prep/Makefile
*************** subdir = src/backend/optimizer/prep
*** 12,17 ****
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
--- 12,17 ----
  top_builddir = ../../../..
  include $(top_builddir)/src/Makefile.global
  
! OBJS = prepjointree.o prepqual.o prepsecurity.o preptlist.o prepunion.o
  
  include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/optimizer/prep/prepsecurity.c b/src/backend/optimizer/prep/prepsecurity.c
new file mode 100644
index ...7daaa33 .
*** a/src/backend/optimizer/prep/prepsecurity.c
--- b/src/backend/optimizer/prep/prepsecurity.c
***************
*** 0 ****
--- 1,466 ----
+ /*-------------------------------------------------------------------------
+  *
+  * prepsecurity.c
+  *	  Routines for preprocessing security barrier quals.
+  *
+  * Portions Copyright (c) 1996-2013, PostgreSQL Global Development Group
+  * Portions Copyright (c) 1994, Regents of the University of California
+  *
+  *
+  * IDENTIFICATION
+  *	  src/backend/optimizer/prep/prepsecurity.c
+  *
+  *-------------------------------------------------------------------------
+  */
+ #include "postgres.h"
+ 
+ #include "access/heapam.h"
+ #include "access/sysattr.h"
+ #include "catalog/heap.h"
+ #include "nodes/makefuncs.h"
+ #include "nodes/nodeFuncs.h"
+ #include "optimizer/prep.h"
+ #include "parser/analyze.h"
+ #include "parser/parsetree.h"
+ #include "rewrite/rewriteManip.h"
+ #include "utils/rel.h"
+ 
+ 
+ typedef struct
+ {
+ 	int			rt_index;		/* Index of security barrier RTE */
+ 	int			sublevels_up;	/* Current nesting depth */
+ 	Relation	rel;			/* RTE relation at rt_index */
+ 	List	   *targetlist;		/* Targetlist for new subquery RTE */
+ 	List	   *colnames;		/* Column names in subquery RTE */
+ 	List	   *vars_processed;	/* List of Vars already processed */
+ } security_barrier_replace_vars_context;
+ 
+ static void expand_security_qual(PlannerInfo *root, List *tlist, int rt_index,
+ 					 RangeTblEntry *rte, Node *qual);
+ 
+ static void security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context);
+ 
+ static bool security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context);
+ 
+ 
+ /*
+  * expand_security_quals -
+  *	  expands any security barrier quals on RTEs in the query rtable, turning
+  *	  them into security barrier subqueries.
+  *
+  * Any given RTE may have multiple security barrier quals in a list, from which
+  * we create a set of nested subqueries to isolate each security barrier from
+  * the others, providing protection against malicious user-defined security
+  * barriers.  The first security barrier qual in the list will be used in the
+  * innermost subquery.
+  */
+ void
+ expand_security_quals(PlannerInfo *root, List *tlist)
+ {
+ 	Query	   *parse = root->parse;
+ 	int			rt_index;
+ 	ListCell   *cell;
+ 
+ 	/*
+ 	 * Process each RTE in the rtable list.
+ 	 *
+ 	 * We only ever modify entries in place and append to the rtable, so it is
+ 	 * safe to use a foreach loop here.
+ 	 */
+ 	rt_index = 0;
+ 	foreach(cell, parse->rtable)
+ 	{
+ 		RangeTblEntry *rte = (RangeTblEntry *) lfirst(cell);
+ 
+ 		rt_index++;
+ 
+ 		if (rte->securityQuals == NIL)
+ 			continue;
+ 
+ 		/*
+ 		 * Ignore any RTEs that aren't used in the query (such RTEs may be
+ 		 * present for permissions checks).
+ 		 */
+ 		if (rt_index != parse->resultRelation &&
+ 			!rangeTableEntry_used((Node *) parse, rt_index, 0))
+ 			continue;
+ 
+ 		/*
+ 		 * If this RTE is the target then we need to make a copy of it before
+ 		 * expanding it.  The unexpanded copy will become the new target, and
+ 		 * the original RTE will be expanded to become the source of rows to
+ 		 * update/delete.
+ 		 */
+ 		if (rt_index == parse->resultRelation)
+ 		{
+ 			RangeTblEntry *newrte = copyObject(rte);
+ 			parse->rtable = lappend(parse->rtable, newrte);
+ 			parse->resultRelation = list_length(parse->rtable);
+ 
+ 			/*
+ 			 * Wipe out any copied security barrier quals on the new target to
+ 			 * prevent infinite recursion.
+ 			 */
+ 			newrte->securityQuals = NIL;
+ 
+ 			/*
+ 			 * There's no need to do permissions checks twice, so wipe out the
+ 			 * permissions info for the original RTE (we prefer to keep the
+ 			 * bits set on the result RTE).
+ 			 */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * For the most part, Vars referencing the original relation should
+ 			 * remain as they are, meaning that they pull OLD values from the
+ 			 * expanded RTE.  But in the RETURNING list and in any WITH CHECK
+ 			 * OPTION quals, we want such Vars to represent NEW values, so
+ 			 * change them to reference the new RTE.
+ 			 */
+ 			ChangeVarNodes((Node *) parse->returningList, rt_index,
+ 						   parse->resultRelation, 0);
+ 
+ 			ChangeVarNodes((Node *) parse->withCheckOptions, rt_index,
+ 						   parse->resultRelation, 0);
+ 		}
+ 
+ 		/*
+ 		 * Process each security barrier qual in turn, starting with the
+ 		 * innermost one (the first in the list) and working outwards.
+ 		 *
+ 		 * We remove each qual from the list before processing it, so that its
+ 		 * variables aren't modified by expand_security_qual.  Also we don't
+ 		 * necessarily want the attributes referred to by the qual to be
+ 		 * exposed by the newly built subquery.
+ 		 */
+ 		while (rte->securityQuals != NIL)
+ 		{
+ 			Node   *qual = (Node *) linitial(rte->securityQuals);
+ 			rte->securityQuals = list_delete_first(rte->securityQuals);
+ 
+ 			ChangeVarNodes(qual, rt_index, 1, 0);
+ 			expand_security_qual(root, tlist, rt_index, rte, qual);
+ 		}
+ 	}
+ }
+ 
+ 
+ /*
+  * expand_security_qual -
+  *	  expand the specified security barrier qual on a query RTE, turning the
+  *	  RTE into a security barrier subquery.
+  */
+ static void
+ expand_security_qual(PlannerInfo *root, List *tlist, int rt_index,
+ 					 RangeTblEntry *rte, Node *qual)
+ {
+ 	Query		   *parse = root->parse;
+ 	Oid				relid = rte->relid;
+ 	Query		   *subquery;
+ 	RangeTblEntry  *subrte;
+ 	RangeTblRef	   *subrtr;
+ 	PlanRowMark	   *rc;
+ 	security_barrier_replace_vars_context context;
+ 	ListCell	   *cell;
+ 
+ 	/*
+ 	 * There should only be 2 possible cases:
+ 	 *
+ 	 * 1. A relation RTE, which we turn into a subquery RTE containing all
+ 	 * referenced columns.
+ 	 *
+ 	 * 2. A subquery RTE (either from a prior call to this function or from an
+ 	 * expanded view).  In this case we build a new subquery on top of it to
+ 	 * isolate this security barrier qual from any other quals.
+ 	 */
+ 	switch (rte->rtekind)
+ 	{
+ 		case RTE_RELATION:
+ 			/*
+ 			 * Turn the relation RTE into a security barrier subquery RTE,
+ 			 * moving all permissions checks down into the subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 
+ 			subrte = copyObject(rte);
+ 			subrte->inFromCl = true;
+ 			subrte->securityQuals = NIL;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->rtekind = RTE_SUBQUERY;
+ 			rte->relid = InvalidOid;
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 			rte->inh = false;			/* must not be set for a subquery */
+ 
+ 			/* the permissions checks have now been moved down */
+ 			rte->requiredPerms = 0;
+ 			rte->checkAsUser = InvalidOid;
+ 			rte->selectedCols = NULL;
+ 			rte->modifiedCols = NULL;
+ 
+ 			/*
+ 			 * Now deal with any PlanRowMark on this RTE by requesting a lock
+ 			 * of the same strength on the RTE copied down to the subquery.
+ 			 *
+ 			 * Note that we can't push the user-defined quals down since they
+ 			 * may included untrusted functions and that means that we will
+ 			 * end up locking all rows which pass the securityQuals, even if
+ 			 * those rows don't pass the user-defined quals.  This is currently
+ 			 * documented behavior, but it'd be nice to come up with a better
+ 			 * solution some day.
+ 			 */
+ 			rc = get_plan_rowmark(root->rowMarks, rt_index);
+ 			if (rc != NULL)
+ 			{
+ 				switch (rc->markType)
+ 				{
+ 					case ROW_MARK_EXCLUSIVE:
+ 						applyLockingClause(subquery, 1, LCS_FORUPDATE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_NOKEYEXCLUSIVE:
+ 						applyLockingClause(subquery, 1, LCS_FORNOKEYUPDATE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_SHARE:
+ 						applyLockingClause(subquery, 1, LCS_FORSHARE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_KEYSHARE:
+ 						applyLockingClause(subquery, 1, LCS_FORKEYSHARE,
+ 										   rc->noWait, false);
+ 						break;
+ 					case ROW_MARK_REFERENCE:
+ 					case ROW_MARK_COPY:
+ 						/* No locking needed */
+ 						break;
+ 				}
+ 				root->rowMarks = list_delete(root->rowMarks, rc);
+ 			}
+ 
+ 			/*
+ 			 * Replace any variables in the outer query that refer to the
+ 			 * original relation RTE with references to columns that we will
+ 			 * expose in the new subquery, building the subquery's targetlist
+ 			 * as we go.
+ 			 */
+ 			context.rt_index = rt_index;
+ 			context.sublevels_up = 0;
+ 			context.rel = heap_open(relid, NoLock);
+ 			context.targetlist = NIL;
+ 			context.colnames = NIL;
+ 			context.vars_processed = NIL;
+ 
+ 			security_barrier_replace_vars((Node *) parse, &context);
+ 			security_barrier_replace_vars((Node *) tlist, &context);
+ 
+ 			heap_close(context.rel, NoLock);
+ 
+ 			/* Now we know what columns the subquery needs to expose */
+ 			rte->subquery->targetList = context.targetlist;
+ 			rte->eref = makeAlias(rte->eref->aliasname, context.colnames);
+ 
+ 			break;
+ 
+ 		case RTE_SUBQUERY:
+ 			/*
+ 			 * Build a new subquery that includes all the same columns as the
+ 			 * original subquery.
+ 			 */
+ 			subquery = makeNode(Query);
+ 			subquery->commandType = CMD_SELECT;
+ 			subquery->querySource = QSRC_INSTEAD_RULE;
+ 			subquery->targetList = NIL;
+ 
+ 			foreach(cell, rte->subquery->targetList)
+ 			{
+ 				TargetEntry	   *tle;
+ 				Var			   *var;
+ 
+ 				tle = (TargetEntry *) lfirst(cell);
+ 				var = makeVarFromTargetEntry(1, tle);
+ 
+ 				tle = makeTargetEntry((Expr *) var,
+ 									  list_length(subquery->targetList) + 1,
+ 									  pstrdup(tle->resname),
+ 									  tle->resjunk);
+ 				subquery->targetList = lappend(subquery->targetList, tle);
+ 			}
+ 
+ 			subrte = makeNode(RangeTblEntry);
+ 			subrte->rtekind = RTE_SUBQUERY;
+ 			subrte->subquery = rte->subquery;
+ 			subrte->security_barrier = rte->security_barrier;
+ 			subrte->eref = copyObject(rte->eref);
+ 			subrte->inFromCl = true;
+ 			subquery->rtable = list_make1(subrte);
+ 
+ 			subrtr = makeNode(RangeTblRef);
+ 			subrtr->rtindex = 1;
+ 			subquery->jointree = makeFromExpr(list_make1(subrtr), qual);
+ 			subquery->hasSubLinks = checkExprHasSubLink(qual);
+ 
+ 			rte->subquery = subquery;
+ 			rte->security_barrier = true;
+ 
+ 			break;
+ 
+ 		default:
+ 			elog(ERROR, "invalid range table entry for security barrier qual");
+ 	}
+ }
+ 
+ 
+ /*
+  * security_barrier_replace_vars -
+  *	  Apply security barrier variable replacement to an expression tree.
+  *
+  * This also builds/updates a targetlist with entries for each replacement
+  * variable that needs to be exposed by the security barrier subquery RTE.
+  *
+  * NOTE: although this has the form of a walker, we cheat and modify the
+  * nodes in-place.	The given expression tree should have been copied
+  * earlier to ensure that no unwanted side-effects occur!
+  */
+ static void
+ security_barrier_replace_vars(Node *node,
+ 							  security_barrier_replace_vars_context *context)
+ {
+ 	/*
+ 	 * Must be prepared to start with a Query or a bare expression tree; if
+ 	 * it's a Query, go straight to query_tree_walker to make sure that
+ 	 * sublevels_up doesn't get incremented prematurely.
+ 	 */
+ 	if (node && IsA(node, Query))
+ 		query_tree_walker((Query *) node,
+ 						  security_barrier_replace_vars_walker,
+ 						  (void *) context, 0);
+ 	else
+ 		security_barrier_replace_vars_walker(node, context);
+ }
+ 
+ static bool
+ security_barrier_replace_vars_walker(Node *node,
+ 									 security_barrier_replace_vars_context *context)
+ {
+ 	if (node == NULL)
+ 		return false;
+ 
+ 	if (IsA(node, Var))
+ 	{
+ 		Var		   *var = (Var *) node;
+ 
+ 		/*
+ 		 * Note that the same Var may be present in different lists, so we
+ 		 * need to take care not to process it multiple times.
+ 		 */
+ 		if (var->varno == context->rt_index &&
+ 			var->varlevelsup == context->sublevels_up &&
+ 			!list_member_ptr(context->vars_processed, var))
+ 		{
+ 			/*
+ 			 * Found a matching variable. Make sure that it is in the subquery
+ 			 * targetlist and map its attno accordingly.
+ 			 */
+ 			AttrNumber	attno;
+ 			ListCell   *l;
+ 			TargetEntry *tle;
+ 			char	   *attname;
+ 			Var		   *newvar;
+ 
+ 			/* Search for the base attribute in the subquery targetlist */
+ 			attno = InvalidAttrNumber;
+ 			foreach(l, context->targetlist)
+ 			{
+ 				tle = (TargetEntry *) lfirst(l);
+ 				attno++;
+ 
+ 				Assert(IsA(tle->expr, Var));
+ 				if (((Var *) tle->expr)->varattno == var->varattno &&
+ 					((Var *) tle->expr)->varcollid == var->varcollid)
+ 				{
+ 					/* Map the variable onto this subquery targetlist entry */
+ 					var->varattno = attno;
+ 					return false;
+ 				}
+ 			}
+ 
+ 			/* Not in the subquery targetlist, so add it. Get its name. */
+ 			if (var->varattno < 0)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = SystemAttributeDefinition(var->varattno,
+ 													context->rel->rd_rel->relhasoids);
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else if (var->varattno == InvalidAttrNumber)
+ 			{
+ 				attname = "wholerow";
+ 			}
+ 			else if (var->varattno <= context->rel->rd_att->natts)
+ 			{
+ 				Form_pg_attribute att_tup;
+ 
+ 				att_tup = context->rel->rd_att->attrs[var->varattno - 1];
+ 				attname = NameStr(att_tup->attname);
+ 			}
+ 			else
+ 			{
+ 				elog(ERROR, "invalid attribute number %d in security_barrier_replace_vars", var->varattno);
+ 			}
+ 
+ 			/* New variable for subquery targetlist */
+ 			newvar = copyObject(var);
+ 			newvar->varno = 1;
+ 
+ 			attno = list_length(context->targetlist) + 1;
+ 			tle = makeTargetEntry((Expr *) newvar,
+ 								  attno,
+ 								  pstrdup(attname),
+ 								  false);
+ 
+ 			context->targetlist = lappend(context->targetlist, tle);
+ 
+ 			context->colnames = lappend(context->colnames,
+ 										makeString(pstrdup(attname)));
+ 
+ 			/* Update the outer query's variable */
+ 			var->varattno = attno;
+ 
+ 			/* Remember this Var so that we don't process it again */
+ 			context->vars_processed = lappend(context->vars_processed, var);
+ 		}
+ 		return false;
+ 	}
+ 
+ 	if (IsA(node, Query))
+ 	{
+ 		/* Recurse into subselects */
+ 		bool		result;
+ 
+ 		context->sublevels_up++;
+ 		result = query_tree_walker((Query *) node,
+ 								   security_barrier_replace_vars_walker,
+ 								   (void *) context, 0);
+ 		context->sublevels_up--;
+ 		return result;
+ 	}
+ 
+ 	return expression_tree_walker(node, security_barrier_replace_vars_walker,
+ 								  (void *) context);
+ }
diff --git a/src/backend/optimizer/prep/prepunion.c b/src/backend/optimizer/prep/prepunion.c
new file mode 100644
index 52dcc72..cdf541d 100644
*** a/src/backend/optimizer/prep/prepunion.c
--- b/src/backend/optimizer/prep/prepunion.c
*************** typedef struct
*** 55,60 ****
--- 55,61 ----
  {
  	PlannerInfo *root;
  	AppendRelInfo *appinfo;
+ 	int			sublevels_up;
  } adjust_appendrel_attrs_context;
  
  static Plan *recurse_set_operations(Node *setOp, PlannerInfo *root,
*************** translate_col_privs(const Bitmapset *par
*** 1580,1587 ****
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is only applied after conversion of sublinks to subplans,
!  * so we don't need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
--- 1581,1589 ----
   *	  child rel instead.  We also update rtindexes appearing outside Vars,
   *	  such as resultRelation and jointree relids.
   *
!  * Note: this is applied after conversion of sublinks to subplans in the
!  * query jointree, but there may still be sublinks in the security barrier
!  * quals of RTEs, so we do need to cope with recursion into sub-queries.
   *
   * Note: this is not hugely different from what pullup_replace_vars() does;
   * maybe we should try to fold the two routines together.
*************** adjust_appendrel_attrs(PlannerInfo *root
*** 1594,1602 ****
  
  	context.root = root;
  	context.appinfo = appinfo;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree.
  	 */
  	if (node && IsA(node, Query))
  	{
--- 1596,1607 ----
  
  	context.root = root;
  	context.appinfo = appinfo;
+ 	context.sublevels_up = 0;
  
  	/*
! 	 * Must be prepared to start with a Query or a bare expression tree; if
! 	 * it's a Query, go straight to query_tree_walker to make sure that
! 	 * sublevels_up doesn't get incremented prematurely.
  	 */
  	if (node && IsA(node, Query))
  	{
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1635,1641 ****
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == 0 &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
--- 1640,1646 ----
  	{
  		Var		   *var = (Var *) copyObject(node);
  
! 		if (var->varlevelsup == context->sublevels_up &&
  			var->varno == appinfo->parent_relid)
  		{
  			var->varno = appinfo->child_relid;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1652,1657 ****
--- 1657,1663 ----
  				if (newnode == NULL)
  					elog(ERROR, "attribute %d of relation \"%s\" does not exist",
  						 var->varattno, get_rel_name(appinfo->parent_reloid));
+ 				((Var *) newnode)->varlevelsup += context->sublevels_up;
  				return newnode;
  			}
  			else if (var->varattno == 0)
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1694,1703 ****
--- 1700,1715 ----
  					RowExpr    *rowexpr;
  					List	   *fields;
  					RangeTblEntry *rte;
+ 					ListCell   *lc;
  
  					rte = rt_fetch(appinfo->parent_relid,
  								   context->root->parse->rtable);
  					fields = (List *) copyObject(appinfo->translated_vars);
+ 					foreach(lc, fields)
+ 					{
+ 						Var		   *field = (Var *) lfirst(lc);
+ 						field->varlevelsup += context->sublevels_up;
+ 					}
  					rowexpr = makeNode(RowExpr);
  					rowexpr->args = fields;
  					rowexpr->row_typeid = var->vartype;
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1716,1722 ****
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
--- 1728,1735 ----
  	{
  		CurrentOfExpr *cexpr = (CurrentOfExpr *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			cexpr->cvarno == appinfo->parent_relid)
  			cexpr->cvarno = appinfo->child_relid;
  		return (Node *) cexpr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1724,1730 ****
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
--- 1737,1744 ----
  	{
  		RangeTblRef *rtr = (RangeTblRef *) copyObject(node);
  
! 		if (context->sublevels_up == 0 &&
! 			rtr->rtindex == appinfo->parent_relid)
  			rtr->rtindex = appinfo->child_relid;
  		return (Node *) rtr;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1737,1743 ****
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
--- 1751,1758 ----
  											  adjust_appendrel_attrs_mutator,
  												 (void *) context);
  		/* now fix JoinExpr's rtindex (probably never happens) */
! 		if (context->sublevels_up == 0 &&
! 			j->rtindex == appinfo->parent_relid)
  			j->rtindex = appinfo->child_relid;
  		return (Node *) j;
  	}
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1750,1756 ****
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == 0)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
--- 1765,1771 ----
  											  adjust_appendrel_attrs_mutator,
  														 (void *) context);
  		/* now fix PlaceHolderVar's relid sets */
! 		if (phv->phlevelsup == context->sublevels_up)
  			phv->phrels = adjust_relid_set(phv->phrels,
  										   appinfo->parent_relid,
  										   appinfo->child_relid);
*************** adjust_appendrel_attrs_mutator(Node *nod
*** 1822,1833 ****
  		return (Node *) newinfo;
  	}
  
! 	/*
! 	 * NOTE: we do not need to recurse into sublinks, because they should
! 	 * already have been converted to subplans before we see them.
! 	 */
! 	Assert(!IsA(node, SubLink));
! 	Assert(!IsA(node, Query));
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
--- 1837,1865 ----
  		return (Node *) newinfo;
  	}
  
! 	if (IsA(node, Query))
! 	{
! 		/*
! 		 * Recurse into sublink subqueries. This should only be possible in
! 		 * security barrier quals of top-level RTEs. All other sublinks should
! 		 * have already been converted to subplans during expression
! 		 * preprocessing, but this doesn't happen for security barrier quals,
! 		 * since they are destined to become quals of a subquery RTE, which
! 		 * will be recursively planned, and so should not be preprocessed at
! 		 * this stage.
! 		 *
! 		 * We don't explicitly Assert() for securityQuals here simply because
! 		 * it's not trivial to do so.
! 		 */
! 		Query	   *newnode;
! 
! 		context->sublevels_up++;
! 		newnode = query_tree_mutator((Query *) node,
! 									 adjust_appendrel_attrs_mutator,
! 									 (void *) context, 0);
! 		context->sublevels_up--;
! 		return (Node *) newnode;
! 	}
  
  	return expression_tree_mutator(node, adjust_appendrel_attrs_mutator,
  								   (void *) context);
diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
new file mode 100644
index 5dbcce3..caed8ca 100644
*** a/src/backend/rewrite/rewriteHandler.c
--- b/src/backend/rewrite/rewriteHandler.c
*************** view_col_is_auto_updatable(RangeTblRef *
*** 2023,2030 ****
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool security_barrier,
! 							 bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
--- 2023,2029 ----
   * updatable.
   */
  const char *
! view_query_is_auto_updatable(Query *viewquery, bool check_cols)
  {
  	RangeTblRef *rtr;
  	RangeTblEntry *base_rte;
*************** view_query_is_auto_updatable(Query *view
*** 2098,2111 ****
  		return gettext_noop("Views that return set-returning functions are not automatically updatable.");
  
  	/*
- 	 * For now, we also don't support security-barrier views, because of the
- 	 * difficulty of keeping upper-level qual expressions away from
- 	 * lower-level data.  This might get relaxed in the future.
- 	 */
- 	if (security_barrier)
- 		return gettext_noop("Security-barrier views are not automatically updatable.");
- 
- 	/*
  	 * The view query should select from a single base relation, which must be
  	 * a table or another view.
  	 */
--- 2097,2102 ----
*************** relation_is_updatable(Oid reloid,
*** 2353,2361 ****
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery,
! 										 RelationIsSecurityView(rel),
! 										 false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
--- 2344,2350 ----
  	{
  		Query	   *viewquery = get_view_query(rel);
  
! 		if (view_query_is_auto_updatable(viewquery, false) == NULL)
  		{
  			Bitmapset  *updatable_cols;
  			int			auto_events;
*************** rewriteTargetView(Query *parsetree, Rela
*** 2510,2516 ****
  
  	auto_update_detail =
  		view_query_is_auto_updatable(viewquery,
- 									 RelationIsSecurityView(view),
  									 parsetree->commandType != CMD_DELETE);
  
  	if (auto_update_detail)
--- 2499,2504 ----
*************** rewriteTargetView(Query *parsetree, Rela
*** 2714,2719 ****
--- 2702,2715 ----
  												   view_targetlist);
  
  	/*
+ 	 * Move any security barrier quals from the view RTE onto the new target
+ 	 * RTE.  Any such quals should now apply to the new target RTE and will not
+ 	 * reference the original view RTE in the rewritten query.
+ 	 */
+ 	new_rte->securityQuals = view_rte->securityQuals;
+ 	view_rte->securityQuals = NIL;
+ 
+ 	/*
  	 * For UPDATE/DELETE, rewriteTargetListUD will have added a wholerow junk
  	 * TLE for the view to the end of the targetlist, which we no longer need.
  	 * Remove it to avoid unnecessary work when we process the targetlist.
*************** rewriteTargetView(Query *parsetree, Rela
*** 2793,2798 ****
--- 2789,2798 ----
  	 * only adjust their varnos to reference the new target (just the same as
  	 * we did with the view targetlist).
  	 *
+ 	 * Note that there is special-case handling for the quals of a security
+ 	 * barrier view, since they need to be kept separate from any user-supplied
+ 	 * quals, so these quals are kept on the new target RTE.
+ 	 *
  	 * For INSERT, the view's quals can be ignored in the main query.
  	 */
  	if (parsetree->commandType != CMD_INSERT &&
*************** rewriteTargetView(Query *parsetree, Rela
*** 2801,2807 ****
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 		AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
--- 2801,2825 ----
  		Node	   *viewqual = (Node *) copyObject(viewquery->jointree->quals);
  
  		ChangeVarNodes(viewqual, base_rt_index, new_rt_index, 0);
! 
! 		if (RelationIsSecurityView(view))
! 		{
! 			/*
! 			 * Note: the parsetree has been mutated, so the new_rte pointer is
! 			 * stale and needs to be re-computed.
! 			 */
! 			new_rte = rt_fetch(new_rt_index, parsetree->rtable);
! 			new_rte->securityQuals = lcons(viewqual, new_rte->securityQuals);
! 
! 			/*
! 			 * Make sure that the query is marked correctly if the added qual
! 			 * has sublinks.
! 			 */
! 			if (!parsetree->hasSubLinks)
! 				parsetree->hasSubLinks = checkExprHasSubLink(viewqual);
! 		}
! 		else
! 			AddQual(parsetree, (Node *) viewqual);
  	}
  
  	/*
*************** rewriteTargetView(Query *parsetree, Rela
*** 2863,2871 ****
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added to the
! 				 * query's WHERE clause, and AddQual will have already done
! 				 * this check.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
--- 2881,2888 ----
  				 * Make sure that the query is marked correctly if the added
  				 * qual has sublinks.  We can skip this check if the query is
  				 * already marked, or if the command is an UPDATE, in which
! 				 * case the same qual will have already been added, and this
! 				 * check will already have been done.
  				 */
  				if (!parsetree->hasSubLinks &&
  					parsetree->commandType != CMD_UPDATE)
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
new file mode 100644
index b5011af..18d4991 100644
*** a/src/include/nodes/parsenodes.h
--- b/src/include/nodes/parsenodes.h
*************** typedef struct RangeTblEntry
*** 801,806 ****
--- 801,807 ----
  	Oid			checkAsUser;	/* if valid, check access as this role */
  	Bitmapset  *selectedCols;	/* columns needing SELECT permission */
  	Bitmapset  *modifiedCols;	/* columns needing INSERT/UPDATE permission */
+ 	List	   *securityQuals;	/* any security barrier quals to apply */
  } RangeTblEntry;
  
  /*
diff --git a/src/include/optimizer/prep.h b/src/include/optimizer/prep.h
new file mode 100644
index 0f5a7d3..f5fc7e8 100644
*** a/src/include/optimizer/prep.h
--- b/src/include/optimizer/prep.h
*************** extern Node *negate_clause(Node *node);
*** 36,41 ****
--- 36,46 ----
  extern Expr *canonicalize_qual(Expr *qual);
  
  /*
+  * prototypes for prepsecurity.c
+  */
+ extern void expand_security_quals(PlannerInfo *root, List *tlist);
+ 
+ /*
   * prototypes for preptlist.c
   */
  extern List *preprocess_targetlist(PlannerInfo *root, List *tlist);
diff --git a/src/include/rewrite/rewriteHandler.h b/src/include/rewrite/rewriteHandler.h
new file mode 100644
index 22551ec..1b51213 100644
*** a/src/include/rewrite/rewriteHandler.h
--- b/src/include/rewrite/rewriteHandler.h
*************** extern void AcquireRewriteLocks(Query *p
*** 25,31 ****
  extern Node *build_column_default(Relation rel, int attrno);
  extern Query *get_view_query(Relation view);
  extern const char *view_query_is_auto_updatable(Query *viewquery,
- 										 bool security_barrier,
  										 bool check_cols);
  extern int	relation_is_updatable(Oid reloid,
  						  bool include_triggers,
--- 25,30 ----
diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
new file mode 100644
index 91d1639..f6db582 100644
*** a/src/test/regress/expected/create_view.out
--- b/src/test/regress/expected/create_view.out
*************** CREATE VIEW mysecview4 WITH (security_ba
*** 252,258 ****
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  security_barrier requires a Boolean value
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
--- 252,258 ----
         AS SELECT * FROM tbl1 WHERE a <> 0;
  CREATE VIEW mysecview5 WITH (security_barrier=100)	-- Error
         AS SELECT * FROM tbl1 WHERE a > 100;
! ERROR:  invalid value for boolean option "security_barrier": 100
  CREATE VIEW mysecview6 WITH (invalid_option)		-- Error
         AS SELECT * FROM tbl1 WHERE a < 100;
  ERROR:  unrecognized parameter "invalid_option"
diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out
new file mode 100644
index 99c9165..261b0c5 100644
*** a/src/test/regress/expected/updatable_views.out
--- b/src/test/regress/expected/updatable_views.out
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 22,33 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
--- 22,31 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
   WHERE table_name LIKE E'r_\\_view%'
*************** SELECT table_name, is_insertable_into
*** 44,50 ****
   ro_view19  | NO
   ro_view2   | NO
   ro_view20  | NO
-  ro_view21  | NO
   ro_view3   | NO
   ro_view4   | NO
   ro_view5   | NO
--- 42,47 ----
*************** SELECT table_name, is_insertable_into
*** 55,61 ****
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (21 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
--- 52,58 ----
   rw_view14  | YES
   rw_view15  | YES
   rw_view16  | YES
! (20 rows)
  
  SELECT table_name, is_updatable, is_insertable_into
    FROM information_schema.views
*************** SELECT table_name, is_updatable, is_inse
*** 73,79 ****
   ro_view19  | NO           | NO
   ro_view2   | NO           | NO
   ro_view20  | NO           | NO
-  ro_view21  | NO           | NO
   ro_view3   | NO           | NO
   ro_view4   | NO           | NO
   ro_view5   | NO           | NO
--- 70,75 ----
*************** SELECT table_name, is_updatable, is_inse
*** 84,90 ****
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (21 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
--- 80,86 ----
   rw_view14  | YES          | YES
   rw_view15  | YES          | YES
   rw_view16  | YES          | YES
! (20 rows)
  
  SELECT table_name, column_name, is_updatable
    FROM information_schema.columns
*************** SELECT table_name, column_name, is_updat
*** 103,125 ****
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view18  | b             | NO
!  ro_view19  | a             | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | sequence_name | NO
!  ro_view20  | last_value    | NO
!  ro_view20  | start_value   | NO
!  ro_view20  | increment_by  | NO
!  ro_view20  | max_value     | NO
!  ro_view20  | min_value     | NO
!  ro_view20  | cache_value   | NO
!  ro_view20  | log_cnt       | NO
!  ro_view20  | is_cycled     | NO
!  ro_view20  | is_called     | NO
!  ro_view21  | a             | NO
!  ro_view21  | b             | NO
!  ro_view21  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
--- 99,119 ----
   ro_view17  | a             | NO
   ro_view17  | b             | NO
   ro_view18  | a             | NO
!  ro_view19  | sequence_name | NO
!  ro_view19  | last_value    | NO
!  ro_view19  | start_value   | NO
!  ro_view19  | increment_by  | NO
!  ro_view19  | max_value     | NO
!  ro_view19  | min_value     | NO
!  ro_view19  | cache_value   | NO
!  ro_view19  | log_cnt       | NO
!  ro_view19  | is_cycled     | NO
!  ro_view19  | is_called     | NO
   ro_view2   | a             | NO
   ro_view2   | b             | NO
!  ro_view20  | a             | NO
!  ro_view20  | b             | NO
!  ro_view20  | g             | NO
   ro_view3   | ?column?      | NO
   ro_view4   | count         | NO
   ro_view5   | a             | NO
*************** SELECT table_name, column_name, is_updat
*** 140,146 ****
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (48 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
--- 134,140 ----
   rw_view16  | a             | YES
   rw_view16  | b             | YES
   rw_view16  | aa            | YES
! (46 rows)
  
  -- Read-only views
  DELETE FROM ro_view1;
*************** INSERT INTO ro_view17 VALUES (3, 'ROW 3'
*** 268,291 ****
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! ERROR:  cannot insert into view "ro_view18"
! DETAIL:  Security-barrier views are not automatically updatable.
! HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view19;
! ERROR:  cannot delete from view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view20 SET max_value=1000;
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view21 SET b=upper(b);
! ERROR:  cannot update view "ro_view21"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 17 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
--- 262,281 ----
  ERROR:  cannot insert into view "ro_view1"
  DETAIL:  Views containing DISTINCT are not automatically updatable.
  HINT:  To enable inserting into the view, provide an INSTEAD OF INSERT trigger or an unconditional ON INSERT DO INSTEAD rule.
! DELETE FROM ro_view18;
! ERROR:  cannot delete from view "ro_view18"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable deleting from the view, provide an INSTEAD OF DELETE trigger or an unconditional ON DELETE DO INSTEAD rule.
! UPDATE ro_view19 SET max_value=1000;
! ERROR:  cannot update view "ro_view19"
  DETAIL:  Views that do not select from a single table or view are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
! UPDATE ro_view20 SET b=upper(b);
! ERROR:  cannot update view "ro_view20"
  DETAIL:  Views that return set-returning functions are not automatically updatable.
  HINT:  To enable updating the view, provide an INSTEAD OF UPDATE trigger or an unconditional ON UPDATE DO INSTEAD rule.
  DROP TABLE base_tbl CASCADE;
! NOTICE:  drop cascades to 16 other objects
  DETAIL:  drop cascades to view ro_view1
  drop cascades to view ro_view17
  drop cascades to view ro_view2
*************** drop cascades to view ro_view11
*** 299,311 ****
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view18
! drop cascades to view ro_view21
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view20
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
--- 289,300 ----
  drop cascades to view ro_view13
  drop cascades to view rw_view15
  drop cascades to view rw_view16
! drop cascades to view ro_view20
  drop cascades to view ro_view4
  drop cascades to view rw_view14
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
! NOTICE:  drop cascades to view ro_view19
  -- simple updatable view
  CREATE TABLE base_tbl (a int PRIMARY KEY, b text DEFAULT 'Unspecified');
  INSERT INTO base_tbl SELECT i, 'Row ' || i FROM generate_series(-2, 2) g(i);
*************** DROP TABLE base_tbl CASCADE;
*** 1740,1742 ****
--- 1729,1987 ----
  NOTICE:  drop cascades to 2 other objects
  DETAIL:  drop cascades to view rw_view1
  drop cascades to view rw_view2
+ -- security barrier view
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Dick
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view1   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view1   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view1   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+                   QUERY PLAN                   
+ -----------------------------------------------
+  Subquery Scan on rw_view1
+    Filter: snoop(rw_view1.person)
+    ->  Seq Scan on base_tbl
+          Filter: (visibility = 'public'::text)
+ (4 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Seq Scan on base_tbl base_tbl_2
+                Filter: (visibility = 'public'::text)
+ (5 rows)
+ 
+ -- security barrier view on top of security barrier view
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+  table_name | is_insertable_into 
+ ------------+--------------------
+  rw_view2   | YES
+ (1 row)
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+  table_name | is_updatable | is_insertable_into 
+ ------------+--------------+--------------------
+  rw_view2   | YES          | YES
+ (1 row)
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+  table_name | column_name | is_updatable 
+ ------------+-------------+--------------
+  rw_view2   | person      | YES
+ (1 row)
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+  person 
+ --------
+  Tom
+  Harry
+ (2 rows)
+ 
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Tom
+ NOTICE:  snooped value: Harry
+ NOTICE:  snooped value: Harry
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+                      QUERY PLAN                      
+ -----------------------------------------------------
+  Subquery Scan on rw_view2
+    Filter: snoop(rw_view2.person)
+    ->  Subquery Scan on rw_view1
+          Filter: snoop(rw_view1.person)
+          ->  Seq Scan on base_tbl
+                Filter: (visibility = 'public'::text)
+ (6 rows)
+ 
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: snoop(base_tbl.person)
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Delete on base_tbl base_tbl_1
+    ->  Subquery Scan on base_tbl
+          Filter: (NOT snoop(base_tbl.person))
+          ->  Subquery Scan on base_tbl_2
+                Filter: snoop(base_tbl_2.person)
+                ->  Seq Scan on base_tbl base_tbl_3
+                      Filter: (visibility = 'public'::text)
+ (7 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to 2 other objects
+ DETAIL:  drop cascades to view rw_view1
+ drop cascades to view rw_view2
+ -- security barrier view on top of table with rules
+ CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+ INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+ CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+   WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+   DO INSTEAD
+     UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+ CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+   DO INSTEAD
+     UPDATE base_tbl SET deleted = true WHERE id = old.id;
+ CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+   SELECT id, data FROM base_tbl WHERE NOT deleted;
+ SELECT * FROM rw_view1;
+  id | data  
+ ----+-------
+   1 | Row 1
+ (1 row)
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+                                QUERY PLAN                                
+ -------------------------------------------------------------------------
+  Update on base_tbl base_tbl_1
+    ->  Nested Loop
+          ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_1
+                Index Cond: (id = 1)
+          ->  Subquery Scan on base_tbl
+                Filter: snoop(base_tbl.data)
+                ->  Index Scan using base_tbl_pkey on base_tbl base_tbl_2
+                      Index Cond: (id = 1)
+                      Filter: (NOT deleted)
+ (9 rows)
+ 
+ DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ NOTICE:  snooped value: Row 1
+ EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+                         QUERY PLAN                         
+ -----------------------------------------------------------
+  Insert on base_tbl
+    InitPlan 1 (returns $0)
+      ->  Index Only Scan using base_tbl_pkey on base_tbl t
+            Index Cond: (id = 2)
+    ->  Result
+          One-Time Filter: ($0 IS NOT TRUE)
+  
+  Update on base_tbl
+    InitPlan 1 (returns $0)
+      ->  Index Only Scan using base_tbl_pkey on base_tbl t
+            Index Cond: (id = 2)
+    ->  Result
+          One-Time Filter: $0
+          ->  Index Scan using base_tbl_pkey on base_tbl
+                Index Cond: (id = 2)
+ (15 rows)
+ 
+ INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ SELECT * FROM base_tbl;
+  id |   data    | deleted 
+ ----+-----------+---------
+   1 | Row 1     | t
+   2 | New row 2 | f
+ (2 rows)
+ 
+ DROP TABLE base_tbl CASCADE;
+ NOTICE:  drop cascades to view rw_view1
diff --git a/src/test/regress/sql/updatable_views.sql b/src/test/regress/sql/updatable_views.sql
new file mode 100644
index a77cf19..08f7504 100644
*** a/src/test/regress/sql/updatable_views.sql
--- b/src/test/regress/sql/updatable_views.sql
*************** CREATE VIEW rw_view14 AS SELECT ctid, a,
*** 25,36 ****
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 WITH (security_barrier = true)
!   AS SELECT * FROM base_tbl; -- Security barrier views not updatable
! CREATE VIEW ro_view19 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view20 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view21 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
--- 25,34 ----
  CREATE VIEW rw_view15 AS SELECT a, upper(b) FROM base_tbl; -- Expression/function may be part of an updatable view
  CREATE VIEW rw_view16 AS SELECT a, b, a AS aa FROM base_tbl; -- Repeated column may be part of an updatable view
  CREATE VIEW ro_view17 AS SELECT * FROM ro_view1; -- Base relation not updatable
! CREATE VIEW ro_view18 AS SELECT * FROM (VALUES(1)) AS tmp(a); -- VALUES in rangetable
  CREATE SEQUENCE seq;
! CREATE VIEW ro_view19 AS SELECT * FROM seq; -- View based on a sequence
! CREATE VIEW ro_view20 AS SELECT a, b, generate_series(1, a) g FROM base_tbl; -- SRF in targetlist not supported
  
  SELECT table_name, is_insertable_into
    FROM information_schema.tables
*************** SELECT * FROM base_tbl;
*** 87,99 ****
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! INSERT INTO ro_view18 VALUES (3, 'ROW 3');
! DELETE FROM ro_view19;
! UPDATE ro_view20 SET max_value=1000;
! UPDATE ro_view21 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view19;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
--- 85,96 ----
  DELETE FROM rw_view16 WHERE a=-3; -- should be OK
  -- Read-only views
  INSERT INTO ro_view17 VALUES (3, 'ROW 3');
! DELETE FROM ro_view18;
! UPDATE ro_view19 SET max_value=1000;
! UPDATE ro_view20 SET b=upper(b);
  
  DROP TABLE base_tbl CASCADE;
! DROP VIEW ro_view10, ro_view12, ro_view18;
  DROP SEQUENCE seq CASCADE;
  
  -- simple updatable view
*************** CREATE VIEW rw_view2 AS
*** 828,830 ****
--- 825,931 ----
    SELECT * FROM rw_view1 WHERE a > b WITH LOCAL CHECK OPTION;
  INSERT INTO rw_view2 VALUES (2,3); -- ok, but not in view (doesn't fail rw_view2's check)
  DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view
+ 
+ CREATE TABLE base_tbl (person text, visibility text);
+ INSERT INTO base_tbl VALUES ('Tom', 'public'),
+                             ('Dick', 'private'),
+                             ('Harry', 'public');
+ 
+ CREATE VIEW rw_view1 AS
+   SELECT person FROM base_tbl WHERE visibility = 'public';
+ 
+ CREATE FUNCTION snoop(val text)
+ RETURNS boolean AS
+ $$
+ BEGIN
+   RAISE NOTICE 'snooped value: %', val;
+   RETURN true;
+ END;
+ $$
+ LANGUAGE plpgsql COST 0.000001;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ ALTER VIEW rw_view1 SET (security_barrier = true);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view1';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view1'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view1 WHERE snoop(person);
+ UPDATE rw_view1 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view1 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view1 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE NOT snoop(person);
+ 
+ -- security barrier view on top of security barrier view
+ 
+ CREATE VIEW rw_view2 WITH (security_barrier = true) AS
+   SELECT * FROM rw_view1 WHERE snoop(person);
+ 
+ SELECT table_name, is_insertable_into
+   FROM information_schema.tables
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, is_updatable, is_insertable_into
+   FROM information_schema.views
+  WHERE table_name = 'rw_view2';
+ 
+ SELECT table_name, column_name, is_updatable
+   FROM information_schema.columns
+  WHERE table_name = 'rw_view2'
+  ORDER BY ordinal_position;
+ 
+ SELECT * FROM rw_view2 WHERE snoop(person);
+ UPDATE rw_view2 SET person=person WHERE snoop(person);
+ DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ EXPLAIN (costs off) SELECT * FROM rw_view2 WHERE snoop(person);
+ EXPLAIN (costs off) UPDATE rw_view2 SET person=person WHERE snoop(person);
+ EXPLAIN (costs off) DELETE FROM rw_view2 WHERE NOT snoop(person);
+ 
+ DROP TABLE base_tbl CASCADE;
+ 
+ -- security barrier view on top of table with rules
+ 
+ CREATE TABLE base_tbl(id int PRIMARY KEY, data text, deleted boolean);
+ INSERT INTO base_tbl VALUES (1, 'Row 1', false), (2, 'Row 2', true);
+ 
+ CREATE RULE base_tbl_ins_rule AS ON INSERT TO base_tbl
+   WHERE EXISTS (SELECT 1 FROM base_tbl t WHERE t.id = new.id)
+   DO INSTEAD
+     UPDATE base_tbl SET data = new.data, deleted = false WHERE id = new.id;
+ 
+ CREATE RULE base_tbl_del_rule AS ON DELETE TO base_tbl
+   DO INSTEAD
+     UPDATE base_tbl SET deleted = true WHERE id = old.id;
+ 
+ CREATE VIEW rw_view1 WITH (security_barrier=true) AS
+   SELECT id, data FROM base_tbl WHERE NOT deleted;
+ 
+ SELECT * FROM rw_view1;
+ 
+ EXPLAIN (costs off) DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ DELETE FROM rw_view1 WHERE id = 1 AND snoop(data);
+ 
+ EXPLAIN (costs off) INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ INSERT INTO rw_view1 VALUES (2, 'New row 2');
+ 
+ SELECT * FROM base_tbl;
+ 
+ DROP TABLE base_tbl CASCADE;