On 11/08/2013 11:03 PM, Robert Haas wrote:
>> > Separate "READ DELETE" etc would only be interesting if we wanted to let
>> > someone DELETE rows they cannot SELECT. Since we have DELETE ...
>> > RETURNING, and since users can write a predicate function for DELETE
>> > that leaks the information even if we didn't, in practice if you give
>> > the user any READ right you've given them all of them. So I don't think
>> > we can support that (except maybe by column RLS down the track).
>
> Well, we could require SELECT privilege when a a RETURNING clause is 
> present...

Absolutely could. Wouldn't stop them grabbing the data via a predicate
function on the update/delete, though, and we can't sanely (IMO) require
SELECT rights if they want to use non-LEAKPROOF functions/operators either.

I do think this needs looking at further, but I suspect it's an area
where Pg's flexibility will make life harder.


-- 
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to