Hi,
http://www.postgresql.org/docs/9.5/static/ddl-rowsecurity.html
I'm considering to use row-level security which is a new feature of
Postgresql 9.5. It's quite attractive for cloud software developers,
because it can prevent a disastrous bug which allows users accessing other
users data.
CREATE POLICY organization_barrier ON some_table USING (current_user =
organization_id);
This policy makes that only users of that organization can access to their
rows.
The point is that how to set current_user with Sequel. I looked into Sequel
code, and probably the code below may work well. How do you think about it?
DB.synchronize {
DB["SET ROLE ?", organization_id]
begin
# call actual business logics here
ensure
DB["SET ROLE admin"]
end
}
Only drawback with this code is that it cannot use read replicas at all,
but I think currently there is no possible way to avoid that, right?
Cheers,
Shunichi
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sequel-talk.
For more options, visit https://groups.google.com/d/optout.
