All, Through continued testing, we've discovered an issue in the WITH CHECK OPTION code when it comes to column-level privileges which impacts 9.4.
It's pretty straight-forward, thankfully, but: postgres=# create view myview postgres-# with (security_barrier = true, postgres-# check_option = 'local') postgres-# as select * from passwd where username = current_user; CREATE VIEW postgres=# grant select (username) on myview to public; GRANT postgres=# grant update on myview to public; GRANT postgres=# set role alice; SET postgres=> update myview set username = 'joe'; ERROR: new row violates WITH CHECK OPTION for "myview" DETAIL: Failing row contains (joe, abc). Note that the entire failing tuple is returned, including the 'password' column, even though the 'alice' user does not have select rights on that column. The detail information is useful for debugging, but I believe we have to remove it from the error message. Barring objections, and in the hopes of getting the next beta out the door soon, I'll move forward with this change and back-patch it to 9.4 after a few hours (or I can do it tomorrow if there is contention; I don't know what, if any, specific plans there are for the next beta, just that it's hopefully 'soon'). To hopefully shorten the discussion about 9.4, I'll clarify that I'm happy to discuss trying to re-work this in 9.5 to include what columns the user should be able to see (if there is consensus that we should do that at all) but I don't see that as a change which should be back-patched to 9.4 at this point given that we're trying to get it out the door. Thanks! Stephen
signature.asc
Description: Digital signature