Participants
Nicolas M
Nicolas M
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Nicolas MNicolas M
Dec 15, 2021
#2Tom LaneTom Laneto Nicolas M (#1)
Dec 16, 2021
#3Nicolas MNicolas Mto Tom Lane (#2)
Dec 16, 2021

Updatable view (where in) with check option doesn't validate data properly

Started by Nicolas Mover 4 years ago3 messagesbugs
Jump to latest
#1Nicolas M
Nicolas M
kiruahxh@gmail.com

https://stackoverflow.com/questions/70362651/postgres-updatable-view-where-in-with-check-option

I try to create updatable views with check option.
When I have joins in the filtering criteria, I use a where in clause to
simplify the queries.
However if I declare the view with both check option and where in, data
validation is not reliable. I don't see this restriction in the doc:
https://www.postgresql.org/docs/current/sql-createview.html

It looks like a bug.

create table tableA (
db_record_id serial NOT null PRIMARY KEY,
"name" varchar(60) NOT null UNIQUE
);
create or replace view viewSimpleAas select * from tableA where name
like 'a%'with check option;
create or replace view viewAas select * from tableAwhere db_record_id in (
select db_record_id from tableA
where name like 'a%'
) with check option;
insert into viewSimpleA(name) values('abc'); -- OKdelete from tableA;
insert into viewA(name) values('abc'); -- KO, SQL Error [44000]:
ERROR: new row violates check option for view "viewa"delete from
tableA;

insert into viewSimpleA(name) values('abc');
update viewSimpleA set name = 'fine'; -- OK: update is prevented by check option
delete from tableA;
insert into tableA(name) values('abc');
update viewA set name = 'fine'; -- KO: update is executed, view is now empty
delete from tableA;
select version(); -- PostgreSQL 13.5 (Debian 13.5-1.pgdg110+1) on
x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1
20210110, 64-bit

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Nicolas M (#1)
Re: Updatable view (where in) with check option doesn't validate data properly

Nicolas M <kiruahxh@gmail.com> writes:

create or replace view viewSimpleA as select * from tableA where name
like 'a%'with check option;

[ behaves as expected ]

create or replace view viewA as select * from tableAwhere db_record_id in (
select db_record_id from tableA
where name like 'a%'
) with check option;

[ not so much ]

I don't think this is a bug. The problem is that we handle
WITH CHECK OPTION by seeing whether the proposed new tuple
value satisfies the view's WHERE clause. But the new tuple
isn't yet stored, or at least isn't yet visible, so that
that sub-select still finds the old row contents (or fails
to find any row at all, in your first test).

We could maybe hack our way to fixing that in the specific
case you show here, but I'm not very excited about that,
because this usage of WITH CHECK OPTION seems inherently
unsafe. For example, if we permit an update based on the
fact that there's currently a row with "name like 'a%'",
there's no way to be certain that some other transaction
hasn't concurrently changed or deleted that row. That'd
lead to inconsistency once both transactions commit.

In general I think that expecting WITH CHECK OPTION to
enforce non-immutable conditions is pretty hazardous,
for largely the same reasons that a non-immutable CHECK
constraint is hazardous. We don't stop you from declaring
such a constraint, but it's likely to bite you in the rear.

regards, tom lane

#3Nicolas M
Nicolas M
kiruahxh@gmail.com
In reply to: Tom Lane (#2)
Re: Updatable view (where in) with check option doesn't validate data properly

To add more context about this issue, I am currently porting a software
which works with both Oracle and MSSQL.
Those two RDBMS support views with "check option" that contain either
subqueries or inner joins. In practice we also use "with recursive" in some
subqueries.

Using "check option" without self table subqueries or inner joins puts a
big restriction on what can be achieved through this mechanism.
The fact that view creation is supported in postgres but yields undefined
behavior bothers me. I would have to rewrite a lot of views to make them
compatible with postgres; and then do extensive tests for each of them to
validate postgres behavior upon inserts and updates. The safety net is very
thin here, and I guess postgres implementation could change at every moment
making the application crash with new versions of the RDBMS.

Regards,
Nicolas M

Le jeu. 16 déc. 2021 à 02:05, Tom Lane <tgl@sss.pgh.pa.us> a écrit :

Show quoted text

Nicolas M <kiruahxh@gmail.com> writes:

create or replace view viewSimpleA as select * from tableA where name
like 'a%'with check option;

[ behaves as expected ]

create or replace view viewA as select * from tableAwhere db_record_id

in (

select db_record_id from tableA
where name like 'a%'
) with check option;

[ not so much ]

I don't think this is a bug. The problem is that we handle
WITH CHECK OPTION by seeing whether the proposed new tuple
value satisfies the view's WHERE clause. But the new tuple
isn't yet stored, or at least isn't yet visible, so that
that sub-select still finds the old row contents (or fails
to find any row at all, in your first test).

We could maybe hack our way to fixing that in the specific
case you show here, but I'm not very excited about that,
because this usage of WITH CHECK OPTION seems inherently
unsafe. For example, if we permit an update based on the
fact that there's currently a row with "name like 'a%'",
there's no way to be certain that some other transaction
hasn't concurrently changed or deleted that row. That'd
lead to inconsistency once both transactions commit.

In general I think that expecting WITH CHECK OPTION to
enforce non-immutable conditions is pretty hazardous,
for largely the same reasons that a non-immutable CHECK
constraint is hazardous. We don't stop you from declaring
such a constraint, but it's likely to bite you in the rear.

regards, tom lane

← Back to Topics