Remove the row_security=force GUC value.

Every query of a single ENABLE ROW SECURITY table has two meanings, with the row_security GUC selecting between them. With row_security=force available, every function author would have been advised to either set the GUC locally or test both meanings. Non-compliance would have threatened reliability and, for SECURITY DEFINER functions, security. Authors already face an obligation to account for search_path, and we should not mimic that example. With this change, only BYPASSRLS roles need exercise the aforementioned care. Back-patch to 9.5, where the row_security GUC was introduced. Since this narrows the domain of pg_db_role_setting.setconfig and pg_proc.proconfig, one might bump catversion. A row_security=force setting in one of those columns will elicit a clear message, so don't.
2025-12-21 05:21:08 +03:00 · 2015-09-20 20:45:41 -04:00
parent 8346218c02
commit 537bd178c7
8 changed files with 34 additions and 241 deletions
--- a/src/include/utils/plancache.h
+++ b/src/include/utils/plancache.h
@@ -110,7 +110,7 @@ typedef struct CachedPlanSource
 	double		total_custom_cost;		/* total cost of custom plans so far */
 	int			num_custom_plans;		/* number of plans included in total */
 	bool		hasRowSecurity; /* planned with row security? */
-	int			row_security_env;		/* row security setting when planned */
+	bool		row_security_env;		/* row security setting when planned */
 	bool		rowSecurityDisabled;	/* is row security disabled? */
 } CachedPlanSource;