mirror of
https://github.com/postgres/postgres.git
synced 2025-07-30 11:03:19 +03:00
Remove the row_security=force GUC value.
Every query of a single ENABLE ROW SECURITY table has two meanings, with the row_security GUC selecting between them. With row_security=force available, every function author would have been advised to either set the GUC locally or test both meanings. Non-compliance would have threatened reliability and, for SECURITY DEFINER functions, security. Authors already face an obligation to account for search_path, and we should not mimic that example. With this change, only BYPASSRLS roles need exercise the aforementioned care. Back-patch to 9.5, where the row_security GUC was introduced. Since this narrows the domain of pg_db_role_setting.setconfig and pg_proc.proconfig, one might bump catversion. A row_security=force setting in one of those columns will elicit a clear message, so don't.
This commit is contained in:
Noah Misch
@ -359,19 +359,6 @@ SELECT * FROM category;
|
||||
44 | manga
|
||||
(4 rows)
|
||||
|
||||
-- database superuser does not bypass RLS policy when FORCE enabled.
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO FORCE;
|
||||
SELECT * FROM document;
|
||||
did | cid | dlevel | dauthor | dtitle
|
||||
-----+-----+--------+---------+--------
|
||||
(0 rows)
|
||||
|
||||
SELECT * FROM category;
|
||||
cid | cname
|
||||
-----+-------
|
||||
(0 rows)
|
||||
|
||||
-- database superuser does bypass RLS policy when disabled
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO OFF;
|
||||
@ -424,19 +411,6 @@ SELECT * FROM category;
|
||||
44 | manga
|
||||
(4 rows)
|
||||
|
||||
-- RLS policy applies to table owner when FORCE enabled.
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SET row_security TO FORCE;
|
||||
SELECT * FROM document;
|
||||
did | cid | dlevel | dauthor | dtitle
|
||||
-----+-----+--------+---------+--------
|
||||
(0 rows)
|
||||
|
||||
SELECT * FROM category;
|
||||
cid | cname
|
||||
-----+-------
|
||||
(0 rows)
|
||||
|
||||
-- RLS policy does not apply to table owner when RLS enabled.
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SET row_security TO ON;
|
||||
@ -2520,35 +2494,6 @@ EXPLAIN (COSTS OFF) SELECT * FROM t1;
|
||||
Seq Scan on t1
|
||||
(1 row)
|
||||
|
||||
-- Check that default deny does apply to superuser when RLS force.
|
||||
SET row_security TO FORCE;
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SELECT * FROM t1;
|
||||
a | b
|
||||
---+---
|
||||
(0 rows)
|
||||
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM t1;
|
||||
QUERY PLAN
|
||||
--------------------------
|
||||
Result
|
||||
One-Time Filter: false
|
||||
(2 rows)
|
||||
|
||||
-- Check that default deny does apply to table owner when RLS force.
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SELECT * FROM t1;
|
||||
a | b
|
||||
---+---
|
||||
(0 rows)
|
||||
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM t1;
|
||||
QUERY PLAN
|
||||
--------------------------
|
||||
Result
|
||||
One-Time Filter: false
|
||||
(2 rows)
|
||||
|
||||
-- Check that default deny applies to non-owner/non-superuser when RLS on.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
SET row_security TO ON;
|
||||
@ -2616,14 +2561,6 @@ COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ',';
|
||||
8,c9f0f895fb98ab9159f51fd0297e236d
|
||||
9,45c48cce2e2d7fbdea1afc51c7c6ad26
|
||||
10,d3d9446802a44259755d38e6d163e820
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ',';
|
||||
0,cfcd208495d565ef66e7dff9f98764da
|
||||
2,c81e728d9d4c2f636f067f89cc14862c
|
||||
4,a87ff679a2f3e71d9181a67b7542122c
|
||||
6,1679091c5a880faf6fb5e6087eb1b2dc
|
||||
8,c9f0f895fb98ab9159f51fd0297e236d
|
||||
10,d3d9446802a44259755d38e6d163e820
|
||||
-- Check COPY TO as user with permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
SET row_security TO OFF;
|
||||
@ -2637,14 +2574,6 @@ COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
6,1679091c5a880faf6fb5e6087eb1b2dc
|
||||
8,c9f0f895fb98ab9159f51fd0297e236d
|
||||
10,d3d9446802a44259755d38e6d163e820
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
0,cfcd208495d565ef66e7dff9f98764da
|
||||
2,c81e728d9d4c2f636f067f89cc14862c
|
||||
4,a87ff679a2f3e71d9181a67b7542122c
|
||||
6,1679091c5a880faf6fb5e6087eb1b2dc
|
||||
8,c9f0f895fb98ab9159f51fd0297e236d
|
||||
10,d3d9446802a44259755d38e6d163e820
|
||||
-- Check COPY TO as user with permissions and BYPASSRLS
|
||||
SET SESSION AUTHORIZATION rls_regress_exempt_user;
|
||||
SET row_security TO OFF;
|
||||
@ -2668,14 +2597,6 @@ COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
6,1679091c5a880faf6fb5e6087eb1b2dc
|
||||
8,c9f0f895fb98ab9159f51fd0297e236d
|
||||
10,d3d9446802a44259755d38e6d163e820
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
0,cfcd208495d565ef66e7dff9f98764da
|
||||
2,c81e728d9d4c2f636f067f89cc14862c
|
||||
4,a87ff679a2f3e71d9181a67b7542122c
|
||||
6,1679091c5a880faf6fb5e6087eb1b2dc
|
||||
8,c9f0f895fb98ab9159f51fd0297e236d
|
||||
10,d3d9446802a44259755d38e6d163e820
|
||||
-- Check COPY TO as user without permissions. SET row_security TO OFF;
|
||||
SET SESSION AUTHORIZATION rls_regress_user2;
|
||||
SET row_security TO OFF;
|
||||
@ -2684,9 +2605,6 @@ ERROR: insufficient privilege to bypass row security.
|
||||
SET row_security TO ON;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
ERROR: permission denied for relation copy_t
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
ERROR: permission denied for relation copy_t
|
||||
-- Check COPY relation TO; keep it just one row to avoid reordering issues
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO ON;
|
||||
@ -2703,8 +2621,6 @@ COPY copy_rel_to TO STDOUT WITH DELIMITER ',';
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ',';
|
||||
1,c4ca4238a0b923820dcc509a6f75849b
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ',';
|
||||
-- Check COPY TO as user with permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
SET row_security TO OFF;
|
||||
@ -2712,8 +2628,6 @@ COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - insufficient to bypass r
|
||||
ERROR: insufficient privilege to bypass row security.
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
-- Check COPY TO as user with permissions and BYPASSRLS
|
||||
SET SESSION AUTHORIZATION rls_regress_exempt_user;
|
||||
SET row_security TO OFF;
|
||||
@ -2721,8 +2635,6 @@ COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
1,c4ca4238a0b923820dcc509a6f75849b
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
-- Check COPY TO as user without permissions. SET row_security TO OFF;
|
||||
SET SESSION AUTHORIZATION rls_regress_user2;
|
||||
SET row_security TO OFF;
|
||||
@ -2731,19 +2643,12 @@ ERROR: permission denied for relation copy_rel_to
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
ERROR: permission denied for relation copy_rel_to
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
ERROR: permission denied for relation copy_rel_to
|
||||
-- Check COPY FROM as Superuser/owner.
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO OFF;
|
||||
COPY copy_t FROM STDIN; --ok
|
||||
SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --ok
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
ERROR: COPY FROM not supported with row level security.
|
||||
HINT: Use direct INSERT statements instead.
|
||||
-- Check COPY FROM as user with permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
SET row_security TO OFF;
|
||||
@ -2753,10 +2658,6 @@ SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
ERROR: COPY FROM not supported with row level security.
|
||||
HINT: Use direct INSERT statements instead.
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
ERROR: COPY FROM not supported with row level security.
|
||||
HINT: Use direct INSERT statements instead.
|
||||
-- Check COPY TO as user with permissions and BYPASSRLS
|
||||
SET SESSION AUTHORIZATION rls_regress_exempt_user;
|
||||
SET row_security TO OFF;
|
||||
@ -2765,10 +2666,6 @@ SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
ERROR: COPY FROM not supported with row level security.
|
||||
HINT: Use direct INSERT statements instead.
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
ERROR: COPY FROM not supported with row level security.
|
||||
HINT: Use direct INSERT statements instead.
|
||||
-- Check COPY FROM as user without permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user2;
|
||||
SET row_security TO OFF;
|
||||
@ -2777,9 +2674,6 @@ ERROR: permission denied for relation copy_t
|
||||
SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --fail - permission denied.
|
||||
ERROR: permission denied for relation copy_t
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - permission denied.
|
||||
ERROR: permission denied for relation copy_t
|
||||
RESET SESSION AUTHORIZATION;
|
||||
DROP TABLE copy_t;
|
||||
DROP TABLE copy_rel_to CASCADE;
|
||||
@ -2932,16 +2826,17 @@ SELECT attname, most_common_vals FROM pg_stats
|
||||
-- Collation support
|
||||
--
|
||||
BEGIN;
|
||||
SET row_security TO FORCE;
|
||||
CREATE TABLE coll_t (c) AS VALUES ('bar'::text);
|
||||
CREATE POLICY coll_p ON coll_t USING (c < ('foo'::text COLLATE "C"));
|
||||
ALTER TABLE coll_t ENABLE ROW LEVEL SECURITY;
|
||||
GRANT SELECT ON coll_t TO rls_regress_user0;
|
||||
SELECT (string_to_array(polqual, ':'))[7] AS inputcollid FROM pg_policy WHERE polrelid = 'coll_t'::regclass;
|
||||
inputcollid
|
||||
------------------
|
||||
inputcollid 950
|
||||
(1 row)
|
||||
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SELECT * FROM coll_t;
|
||||
c
|
||||
-----
|
||||
@ -3008,7 +2903,6 @@ ROLLBACK; -- cleanup
|
||||
-- Converting table to view
|
||||
--
|
||||
BEGIN;
|
||||
SET ROW_SECURITY = FORCE;
|
||||
CREATE TABLE t (c int);
|
||||
CREATE POLICY p ON t USING (c % 2 = 1);
|
||||
ALTER TABLE t ENABLE ROW LEVEL SECURITY;
|
||||
@ -3031,7 +2925,6 @@ ROLLBACK;
|
||||
-- Policy expression handling
|
||||
--
|
||||
BEGIN;
|
||||
SET row_security = FORCE;
|
||||
CREATE TABLE t (c) AS VALUES ('bar'::text);
|
||||
CREATE POLICY p ON t USING (max(c)); -- fails: aggregate functions are not allowed in policy expressions
|
||||
ERROR: aggregate functions are not allowed in policy expressions
|
||||
|
||||
@ -164,12 +164,6 @@ SET row_security TO ON;
|
||||
SELECT * FROM document;
|
||||
SELECT * FROM category;
|
||||
|
||||
-- database superuser does not bypass RLS policy when FORCE enabled.
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO FORCE;
|
||||
SELECT * FROM document;
|
||||
SELECT * FROM category;
|
||||
|
||||
-- database superuser does bypass RLS policy when disabled
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SET row_security TO OFF;
|
||||
@ -182,12 +176,6 @@ SET row_security TO OFF;
|
||||
SELECT * FROM document;
|
||||
SELECT * FROM category;
|
||||
|
||||
-- RLS policy applies to table owner when FORCE enabled.
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SET row_security TO FORCE;
|
||||
SELECT * FROM document;
|
||||
SELECT * FROM category;
|
||||
|
||||
-- RLS policy does not apply to table owner when RLS enabled.
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SET row_security TO ON;
|
||||
@ -966,17 +954,6 @@ SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SELECT * FROM t1;
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM t1;
|
||||
|
||||
-- Check that default deny does apply to superuser when RLS force.
|
||||
SET row_security TO FORCE;
|
||||
RESET SESSION AUTHORIZATION;
|
||||
SELECT * FROM t1;
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM t1;
|
||||
|
||||
-- Check that default deny does apply to table owner when RLS force.
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SELECT * FROM t1;
|
||||
EXPLAIN (COSTS OFF) SELECT * FROM t1;
|
||||
|
||||
-- Check that default deny applies to non-owner/non-superuser when RLS on.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
SET row_security TO ON;
|
||||
@ -1007,8 +984,6 @@ SET row_security TO OFF;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ',';
|
||||
SET row_security TO ON;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ',';
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ',';
|
||||
|
||||
-- Check COPY TO as user with permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
@ -1016,8 +991,6 @@ SET row_security TO OFF;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - insufficient to bypass rls
|
||||
SET row_security TO ON;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
|
||||
-- Check COPY TO as user with permissions and BYPASSRLS
|
||||
SET SESSION AUTHORIZATION rls_regress_exempt_user;
|
||||
@ -1025,8 +998,6 @@ SET row_security TO OFF;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO ON;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok
|
||||
|
||||
-- Check COPY TO as user without permissions. SET row_security TO OFF;
|
||||
SET SESSION AUTHORIZATION rls_regress_user2;
|
||||
@ -1034,8 +1005,6 @@ SET row_security TO OFF;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - insufficient to bypass rls
|
||||
SET row_security TO ON;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
SET row_security TO FORCE;
|
||||
COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
|
||||
-- Check COPY relation TO; keep it just one row to avoid reordering issues
|
||||
RESET SESSION AUTHORIZATION;
|
||||
@ -1055,8 +1024,6 @@ SET row_security TO OFF;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ',';
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ',';
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ',';
|
||||
|
||||
-- Check COPY TO as user with permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
@ -1064,8 +1031,6 @@ SET row_security TO OFF;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - insufficient to bypass rls
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
|
||||
-- Check COPY TO as user with permissions and BYPASSRLS
|
||||
SET SESSION AUTHORIZATION rls_regress_exempt_user;
|
||||
@ -1073,8 +1038,6 @@ SET row_security TO OFF;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok
|
||||
|
||||
-- Check COPY TO as user without permissions. SET row_security TO OFF;
|
||||
SET SESSION AUTHORIZATION rls_regress_user2;
|
||||
@ -1082,8 +1045,6 @@ SET row_security TO OFF;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
SET row_security TO ON;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --fail - permission denied
|
||||
|
||||
-- Check COPY FROM as Superuser/owner.
|
||||
RESET SESSION AUTHORIZATION;
|
||||
@ -1101,8 +1062,6 @@ COPY copy_t FROM STDIN; --ok
|
||||
3 cde
|
||||
4 def
|
||||
\.
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
|
||||
-- Check COPY FROM as user with permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user1;
|
||||
@ -1110,8 +1069,6 @@ SET row_security TO OFF;
|
||||
COPY copy_t FROM STDIN; --fail - insufficient privilege to bypass rls.
|
||||
SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
|
||||
-- Check COPY TO as user with permissions and BYPASSRLS
|
||||
SET SESSION AUTHORIZATION rls_regress_exempt_user;
|
||||
@ -1124,8 +1081,6 @@ COPY copy_t FROM STDIN; --ok
|
||||
\.
|
||||
SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS.
|
||||
|
||||
-- Check COPY FROM as user without permissions.
|
||||
SET SESSION AUTHORIZATION rls_regress_user2;
|
||||
@ -1133,8 +1088,6 @@ SET row_security TO OFF;
|
||||
COPY copy_t FROM STDIN; --fail - permission denied.
|
||||
SET row_security TO ON;
|
||||
COPY copy_t FROM STDIN; --fail - permission denied.
|
||||
SET row_security TO FORCE;
|
||||
COPY copy_t FROM STDIN; --fail - permission denied.
|
||||
|
||||
RESET SESSION AUTHORIZATION;
|
||||
DROP TABLE copy_t;
|
||||
@ -1212,11 +1165,12 @@ SELECT attname, most_common_vals FROM pg_stats
|
||||
-- Collation support
|
||||
--
|
||||
BEGIN;
|
||||
SET row_security TO FORCE;
|
||||
CREATE TABLE coll_t (c) AS VALUES ('bar'::text);
|
||||
CREATE POLICY coll_p ON coll_t USING (c < ('foo'::text COLLATE "C"));
|
||||
ALTER TABLE coll_t ENABLE ROW LEVEL SECURITY;
|
||||
GRANT SELECT ON coll_t TO rls_regress_user0;
|
||||
SELECT (string_to_array(polqual, ':'))[7] AS inputcollid FROM pg_policy WHERE polrelid = 'coll_t'::regclass;
|
||||
SET SESSION AUTHORIZATION rls_regress_user0;
|
||||
SELECT * FROM coll_t;
|
||||
ROLLBACK;
|
||||
|
||||
@ -1268,7 +1222,6 @@ ROLLBACK; -- cleanup
|
||||
-- Converting table to view
|
||||
--
|
||||
BEGIN;
|
||||
SET ROW_SECURITY = FORCE;
|
||||
CREATE TABLE t (c int);
|
||||
CREATE POLICY p ON t USING (c % 2 = 1);
|
||||
ALTER TABLE t ENABLE ROW LEVEL SECURITY;
|
||||
@ -1293,7 +1246,6 @@ ROLLBACK;
|
||||
-- Policy expression handling
|
||||
--
|
||||
BEGIN;
|
||||
SET row_security = FORCE;
|
||||
CREATE TABLE t (c) AS VALUES ('bar'::text);
|
||||
CREATE POLICY p ON t USING (max(c)); -- fails: aggregate functions are not allowed in policy expressions
|
||||
ROLLBACK;
|
||||
|
||||
Reference in New Issue
Block a user