betodealmeida edited a comment on pull request #19055: URL: https://github.com/apache/superset/pull/19055#issuecomment-1064329958
@suddjian I modified the logic to always include the RLS even if it's already present, since there are a few corner cases that are hard to identify. For example, if we have the RLS `user_id=1` and this query: ```sql SELECT * FROM table WHERE TRUE OR user_id=1 ``` Even though we already have the token `Comparison(user_id=1)` in the `WHERE` clause we still need to apply since in this case the comparison is a no-op. So we need to add it: ```sql SELECT * FROM table WHERE TRUE OR user_id=1 AND user_id=1 ``` More importantly, because of the precedence of `AND` over `OR`, we need to wrap the original predicate in parenthesis: ```sql SELECT * FROM table WHERE (TRUE OR user_id=1) AND user_id=1 ``` Without parenthesis the predicate evaluates to `TRUE OR (user_id=1 AND user_id=1)`, which bypasses the RLS! I implemented the logic to wrap the original predicate and added tests covering it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
