granicus.if.org Git - postgresql/commit

author	Noah Misch <noah@leadboat.com>
	Mon, 21 Sep 2015 00:45:41 +0000 (20:45 -0400)
committer	Noah Misch <noah@leadboat.com>
	Mon, 21 Sep 2015 00:45:54 +0000 (20:45 -0400)
commit	6dae6edcd88cf3be06acf247c10de925bc065274
tree	0f3cebd0d38a7d31cf29a145d51933b2ed5fa224	tree \| snapshot
parent	1be9d65e17abc6215a6faae9bc3f714dd3d040b6	commit \| diff

Remove the row_security=force GUC value.

Every query of a single ENABLE ROW SECURITY table has two meanings, with
the row_security GUC selecting between them.  With row_security=force
available, every function author would have been advised to either set
the GUC locally or test both meanings.  Non-compliance would have
threatened reliability and, for SECURITY DEFINER functions, security.
Authors already face an obligation to account for search_path, and we
should not mimic that example.  With this change, only BYPASSRLS roles
need exercise the aforementioned care.  Back-patch to 9.5, where the
row_security GUC was introduced.

Since this narrows the domain of pg_db_role_setting.setconfig and
pg_proc.proconfig, one might bump catversion.  A row_security=force
setting in one of those columns will elicit a clear message, so don't.

doc/src/sgml/config.sgml		diff \| blob \| history
doc/src/sgml/ddl.sgml		diff \| blob \| history
src/backend/utils/misc/guc.c		diff \| blob \| history
src/backend/utils/misc/rls.c		diff \| blob \| history
src/include/utils/plancache.h		diff \| blob \| history
src/include/utils/rls.h		diff \| blob \| history
src/test/regress/expected/rowsecurity.out		diff \| blob \| history
src/test/regress/sql/rowsecurity.sql		diff \| blob \| history