On Friday, November 6, 2015 at 2:58:52 AM UTC-8, Shunichi Arai wrote: > > Hi, > > http://www.postgresql.org/docs/9.5/static/ddl-rowsecurity.html > > I'm considering to use row-level security which is a new feature of > Postgresql 9.5. It's quite attractive for cloud software developers, > because it can prevent a disastrous bug which allows users accessing other > users data. > > CREATE POLICY organization_barrier ON some_table USING (current_user = > organization_id); > > This policy makes that only users of that organization can access to their > rows. > > The point is that how to set current_user with Sequel. I looked into > Sequel code, and probably the code below may work well. How do you think > about it? > > DB.synchronize { > DB["SET ROLE ?", organization_id] > > begin > # call actual business logics here > ensure > DB["SET ROLE admin"] > end > } > > Only drawback with this code is that it cannot use read replicas at all, > but I think currently there is no possible way to avoid that, right? >
I haven't actually tried that approach, but it looks like it or something similar should work assuming admin has the permission to SET ROLE. You'd probably want to use RESET ROLE in the ensure clause, though I'm not sure if that matters. Thanks, Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sequel-talk. For more options, visit https://groups.google.com/d/optout.
