On 04/13/2017 01:31 PM, Stephen Frost wrote:
> * Robert Haas (robertmh...@gmail.com) wrote:
>> On Thu, Apr 6, 2017 at 4:05 PM, Rod Taylor <rod.tay...@gmail.com> wrote:
>> > I'm a little confused on why a SELECT policy fires against the NEW record
>> > for an UPDATE when using multiple FOR policies. The ALL policy doesn't seem
>> > to have that restriction.
>> My guess is that you have found a bug.
> Indeed.  Joe's been looking into it and I'm hoping to find some time to
> dig into it shortly.

>> CREATE POLICY split_select ON t FOR SELECT TO split
>> USING (value > 0);
>> CREATE POLICY split_update ON t FOR UPDATE TO split
>> USING (true) WITH CHECK (true);

Yes -- from what I can see in gdb:

1) add_with_check_options() adds both (value > 0) and (true) to
   withCheckOptions -- this seems correct as the USING expression
   is used for WITH CHECK when the latter is not specified

2) ExecWithCheckOptions() checks (value > 0) which fails, and it
   immediately throws an ERROR, i.e. it never checks the (true)
   expression and therefore never ORs the results -- this seems
   incorrect, it uses restrictive not permissive


Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to