RLS in CTE incorrect permission failure
In the attached script, the second insert into t2 (as part of the CTE)
should succeed. My actual use case isn't much more complex; the function is
used primarily to allow peaking at columns that the function definer has
access to but a typical user does not. Function also makes it easy to copy
this policy to a number of structures.
The function within the policy doesn't seem to be able to see records
inserted by earlier statements in the CTE. Perhaps this is as simple as
adding a command counter increment in the right place?
Fails in 9.5.7 and HEAD.
--
Rod Taylor
Attachments:
Rod Taylor <rod.taylor@gmail.com> writes:
In the attached script, the second insert into t2 (as part of the CTE)
should succeed.
No, I don't think so. You declared the check function as STABLE which
means it is confined to seeing the same snapshot as the surrounding query.
So it can't see anything inserted by that query.
Possibly it'd work as you wish with a VOLATILE function.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Wed, Jun 21, 2017 at 7:46 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Rod Taylor <rod.taylor@gmail.com> writes:
In the attached script, the second insert into t2 (as part of the CTE)
should succeed.No, I don't think so. You declared the check function as STABLE which
means it is confined to seeing the same snapshot as the surrounding query.
So it can't see anything inserted by that query.Possibly it'd work as you wish with a VOLATILE function.
Indeed, that works as expected.
Sorry for the noise.
--
Rod Taylor