Joe Conway <[EMAIL PROTECTED]> writes: > Why wouldn't we force checkAsUser to the rule owner in the copied RTEs, > similar to the rest of the rule query?
Because it would be the wrong check. We need to check that the rule caller has permissions on the view for whatever he originally tried to do (ie, the type of the original query that referenced the view). In the non-INSTEAD case, this check will be redundant with a check applied when the original query is executed ... but in the INSTEAD case, it isn't redundant. > It makes sense in that the rule > query could possibly use the RTE (although as you pointed out it doesn't > in this case), and therefore the permission check should be the same, no? No; it's possible for the amalgamated query to include references to tables that are referenced only in the original query and nowhere in the text of the rule. (This is obviously possible right now, since we just take the union of the two rtables and don't make any effort to discard unreferenced RTEs ... but I think it could happen even if we did discard unreferenced RTEs, because conditions from the original query get pushed into the rule and might reference tables that the rule text doesn't mention.) Checking such tables for rule-owner access would be wrong; they have to be checked for access by the rule caller. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org