All, Through continued testing, we've discovered an issue in the WITH CHECK OPTION code when it comes to column-level privileges which impacts 9.4.
It's pretty straight-forward, thankfully, but:
postgres=# create view myview
postgres-# with (security_barrier = true,
postgres-# check_option = 'local')
postgres-# as select * from passwd where username = current_user;
CREATE VIEW
postgres=# grant select (username) on myview to public;
GRANT
postgres=# grant update on myview to public;
GRANT
postgres=# set role alice;
SET
postgres=> update myview set username = 'joe';
ERROR: new row violates WITH CHECK OPTION for "myview"
DETAIL: Failing row contains (joe, abc).
Note that the entire failing tuple is returned, including the
'password' column, even though the 'alice' user does not have select
rights on that column.
The detail information is useful for debugging, but I believe we have
to remove it from the error message.
Barring objections, and in the hopes of getting the next beta out the
door soon, I'll move forward with this change and back-patch it to
9.4 after a few hours (or I can do it tomorrow if there is contention;
I don't know what, if any, specific plans there are for the next beta,
just that it's hopefully 'soon').
To hopefully shorten the discussion about 9.4, I'll clarify that I'm
happy to discuss trying to re-work this in 9.5 to include what columns
the user should be able to see (if there is consensus that we should
do that at all) but I don't see that as a change which should be
back-patched to 9.4 at this point given that we're trying to get it
out the door.
Thanks!
Stephen
signature.asc
Description: Digital signature
