Make BYPASSRLS behave like superuser RLS bypass.

Specifically, make its effect independent from the row_security GUC, and make it affect permission checks pertinent to views the BYPASSRLS role owns. The row_security GUC thereby ceases to change successful-query behavior; it can only make a query fail with an error. Back-patch to 9.5, where BYPASSRLS was introduced.
2025-12-18 05:01:01 +03:00 · 2015-10-03 20:19:57 -04:00
parent 23fc0b485d
commit 3cb0a7e75a
8 changed files with 44 additions and 76 deletions
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -196,16 +196,13 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac
      <term><literal>NOBYPASSRLS</literal></term>
      <listitem>
       <para>
-        These clauses determine whether a role is allowed to bypass row-level security (RLS)
-        policies.  A role having the <literal>BYPASSRLS</literal> attribute will
-        be allowed to bypass row-security policies by setting
-        <literal>row_security</literal> to
-        <literal>OFF</literal>. <literal>NOBYPASSRLS</literal> is the default.
+        These clauses determine whether a role bypasses every row-level
+        security (RLS) policy.  <literal>NOBYPASSRLS</literal> is the default.
        Note that pg_dump will set <literal>row_security</literal> to
        <literal>OFF</literal> by default, to ensure all contents of a table are
        dumped out.  If the user running pg_dump does not have appropriate
        permissions, an error will be returned.  The superuser and owner of the
-        table being dumped are considered to always have the right to bypass RLS.
+        table being dumped always bypass RLS.
       </para>
      </listitem>
     </varlistentry>