]> granicus.if.org Git - postgresql/commit
projects / postgresql / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 58b30d9) | patch
RLS: Keep deny policy when only restrictive exist
authorStephen Frost <sfrost@snowman.net>
Mon, 3 Aug 2015 19:32:49 +0000 (15:32 -0400)
committerStephen Frost <sfrost@snowman.net>
Mon, 3 Aug 2015 19:32:58 +0000 (15:32 -0400)
commit8f439658524d4a3566682ff9e25d4791c5498e53
tree91c82bafd413768afe2a2e795536076b3eaca00ctree | snapshot
parent58b30d9829ce9c3273e8ca32be62ebc2fd0e8153commit | diff
RLS: Keep deny policy when only restrictive exist

Only remove the default deny policy when a permissive policy exists
(either from the hook or defined by the user).  If only restrictive
policies exist then no rows will be visible, as restrictive policies
shouldn't make rows visible.  To address this requirement, a single
"USING (true)" permissive policy can be created.

Update the test_rls_hooks regression tests to create the necessary
"USING (true)" permissive policy.

Back-patch to 9.5 where RLS was added.

Per discussion with Dean.
src/backend/rewrite/rowsecurity.c diff | blob | history
src/test/modules/test_rls_hooks/expected/test_rls_hooks.out diff | blob | history
src/test/modules/test_rls_hooks/sql/test_rls_hooks.sql diff | blob | history
src/test/modules/test_rls_hooks/test_rls_hooks.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.