Rod, Robert, * Robert Haas (robertmh...@gmail.com) wrote: > On Fri, Apr 14, 2017 at 9:16 AM, Stephen Frost <sfr...@snowman.net> wrote: > > I agreed already up-thread that there's an issue there and will be > > looking to fix it. That comment was simply replying to Rod's point that > > the documentation could also be improved. > > OK, thanks. The wrap for the next set of minor releases is, according > to my understanding, scheduled for Monday, so you'd better jump on > this soon if you're hoping to get a fix out this time around.
The attached patch against master fixes this issue. Rod, if you get a chance, would be great for you to check that you no longer see a difference between the single ALL policy and the split SELECT/UPDATE policies. Thanks! Stephen
diff --git a/src/backend/rewrite/rowsecurity.c b/src/backend/rewrite/rowsecurity.c
new file mode 100644
index 5c8c0cf..5a2c78b
*** a/src/backend/rewrite/rowsecurity.c
--- b/src/backend/rewrite/rowsecurity.c
*************** static void add_with_check_options(Relat
*** 78,84 ****
List *permissive_policies,
List *restrictive_policies,
List **withCheckOptions,
! bool *hasSubLinks);
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id);
--- 78,85 ----
List *permissive_policies,
List *restrictive_policies,
List **withCheckOptions,
! bool *hasSubLinks,
! bool force_using);
static bool check_role_for_policy(ArrayType *policy_roles, Oid user_id);
*************** get_row_security_policies(Query *root, R
*** 272,278 ****
permissive_policies,
restrictive_policies,
withCheckOptions,
! hasSubLinks);
/*
* Get and add ALL/SELECT policies, if SELECT rights are required for
--- 273,280 ----
permissive_policies,
restrictive_policies,
withCheckOptions,
! hasSubLinks,
! false);
/*
* Get and add ALL/SELECT policies, if SELECT rights are required for
*************** get_row_security_policies(Query *root, R
*** 295,301 ****
select_permissive_policies,
select_restrictive_policies,
withCheckOptions,
! hasSubLinks);
}
/*
--- 297,304 ----
select_permissive_policies,
select_restrictive_policies,
withCheckOptions,
! hasSubLinks,
! true);
}
/*
*************** get_row_security_policies(Query *root, R
*** 324,330 ****
conflict_permissive_policies,
conflict_restrictive_policies,
withCheckOptions,
! hasSubLinks);
/*
* Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
--- 327,334 ----
conflict_permissive_policies,
conflict_restrictive_policies,
withCheckOptions,
! hasSubLinks,
! true);
/*
* Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK WCOs
*************** get_row_security_policies(Query *root, R
*** 346,352 ****
conflict_select_permissive_policies,
conflict_select_restrictive_policies,
withCheckOptions,
! hasSubLinks);
}
/* Enforce the WITH CHECK clauses of the UPDATE policies */
--- 350,357 ----
conflict_select_permissive_policies,
conflict_select_restrictive_policies,
withCheckOptions,
! hasSubLinks,
! true);
}
/* Enforce the WITH CHECK clauses of the UPDATE policies */
*************** get_row_security_policies(Query *root, R
*** 355,361 ****
conflict_permissive_policies,
conflict_restrictive_policies,
withCheckOptions,
! hasSubLinks);
}
}
--- 360,367 ----
conflict_permissive_policies,
conflict_restrictive_policies,
withCheckOptions,
! hasSubLinks,
! false);
}
}
*************** add_with_check_options(Relation rel,
*** 659,671 ****
List *permissive_policies,
List *restrictive_policies,
List **withCheckOptions,
! bool *hasSubLinks)
{
ListCell *item;
List *permissive_quals = NIL;
#define QUAL_FOR_WCO(policy) \
! ( kind != WCO_RLS_CONFLICT_CHECK && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )
--- 665,678 ----
List *permissive_policies,
List *restrictive_policies,
List **withCheckOptions,
! bool *hasSubLinks,
! bool force_using)
{
ListCell *item;
List *permissive_quals = NIL;
#define QUAL_FOR_WCO(policy) \
! ( !force_using && \
(policy)->with_check_qual != NULL ? \
(policy)->with_check_qual : (policy)->qual )
signature.asc
Description: Digital signature
