Sorry for the late reply, but I was on vacation (my 2. daughter was born).
After looking at the rule rewriter some more, I realized that the only
way to push all permissions checks to execution time is not
only to keep
skipAcl, but to generalize it. The problem is with checks on the view
What I'm thinking about doing is eliminating the "skipAcl" RTE field
and instead adding an Oid field named something like "checkAclAs".
The semantics of this field would be "if zero, check access
permissions
for this table using the current effective userID; but if not zero,
check access