Remove the row_security=force GUC value. Every query of a single ENABLE ROW SECURITY table has two meanings, with the row_security GUC selecting between them. With row_security=force available, every function author would have been advised to either set the GUC locally or test both meanings. Non-compliance would have threatened reliability and, for SECURITY DEFINER functions, security. Authors already face an obligation to account for search_path, and we should not mimic that example. With this change, only BYPASSRLS roles need exercise the aforementioned care. Back-patch to 9.5, where the row_security GUC was introduced.
Since this narrows the domain of pg_db_role_setting.setconfig and pg_proc.proconfig, one might bump catversion. A row_security=force setting in one of those columns will elicit a clear message, so don't. Branch ------ REL9_5_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/6dae6edcd88cf3be06acf247c10de925bc065274 Modified Files -------------- doc/src/sgml/config.sgml | 13 +--- doc/src/sgml/ddl.sgml | 17 ++--- src/backend/utils/misc/guc.c | 39 +++------- src/backend/utils/misc/rls.c | 29 +++----- src/include/utils/plancache.h | 2 +- src/include/utils/rls.h | 12 +--- src/test/regress/expected/rowsecurity.out | 111 +---------------------------- src/test/regress/sql/rowsecurity.sql | 52 +------------- 8 files changed, 34 insertions(+), 241 deletions(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
