From: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: WITH CHECK and Column-Level Privileges |
Date: | 2014-09-26 15:04:12 |
Message-ID: | 5425806C.5080506@vmware.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 09/26/2014 05:20 PM, Stephen Frost wrote:
> All,
>
> Through continued testing, we've discovered an issue in the
> WITH CHECK OPTION code when it comes to column-level privileges
> which impacts 9.4.
>
> It's pretty straight-forward, thankfully, but:
>
> postgres=# create view myview
> postgres-# with (security_barrier = true,
> postgres-# check_option = 'local')
> postgres-# as select * from passwd where username = current_user;
> CREATE VIEW
> postgres=# grant select (username) on myview to public;
> GRANT
> postgres=# grant update on myview to public;
> GRANT
> postgres=# set role alice;
> SET
> postgres=> update myview set username = 'joe';
> ERROR: new row violates WITH CHECK OPTION for "myview"
> DETAIL: Failing row contains (joe, abc).
>
> Note that the entire failing tuple is returned, including the
> 'password' column, even though the 'alice' user does not have select
> rights on that column.
Is there similar problems with unique or exclusion constraints?
> The detail information is useful for debugging, but I believe we have
> to remove it from the error message.
>
> Barring objections, and in the hopes of getting the next beta out the
> door soon, I'll move forward with this change and back-patch it to
> 9.4 after a few hours
What exactly are you going to commit? Did you forget to attach a patch?
> (or I can do it tomorrow if there is contention;
> I don't know what, if any, specific plans there are for the next beta,
> just that it's hopefully 'soon').
Probably would be wise to wait 'till tomorrow; there's no need to rush this.
- Heikki
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2014-09-26 15:08:16 | Re: WITH CHECK and Column-Level Privileges |
Previous Message | Robert Haas | 2014-09-26 15:02:16 | Re: Replication identifiers, take 3 |