On 04/13/2017 01:31 PM, Stephen Frost wrote: > * Robert Haas (robertmh...@gmail.com) wrote: >> On Thu, Apr 6, 2017 at 4:05 PM, Rod Taylor <rod.tay...@gmail.com> wrote: >> > I'm a little confused on why a SELECT policy fires against the NEW record >> > for an UPDATE when using multiple FOR policies. The ALL policy doesn't seem >> > to have that restriction. >> >> My guess is that you have found a bug. > > Indeed. Joe's been looking into it and I'm hoping to find some time to > dig into it shortly.
>> CREATE POLICY split_select ON t FOR SELECT TO split >> USING (value > 0); >> CREATE POLICY split_update ON t FOR UPDATE TO split >> USING (true) WITH CHECK (true); Yes -- from what I can see in gdb: 1) add_with_check_options() adds both (value > 0) and (true) to withCheckOptions -- this seems correct as the USING expression is used for WITH CHECK when the latter is not specified 2) ExecWithCheckOptions() checks (value > 0) which fails, and it immediately throws an ERROR, i.e. it never checks the (true) expression and therefore never ORs the results -- this seems incorrect, it uses restrictive not permissive Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Description: OpenPGP digital signature