Hi Jeremy, Thanks! I will try it out after PostgreSQL 9.5 released, and let you know how it works.
Cheers, Shunichi On Sat, Nov 7, 2015 at 2:07 AM, Jeremy Evans <[email protected]> wrote: > On Friday, November 6, 2015 at 2:58:52 AM UTC-8, Shunichi Arai wrote: >> >> Hi, >> >> http://www.postgresql.org/docs/9.5/static/ddl-rowsecurity.html >> >> I'm considering to use row-level security which is a new feature of >> Postgresql 9.5. It's quite attractive for cloud software developers, >> because it can prevent a disastrous bug which allows users accessing other >> users data. >> >> CREATE POLICY organization_barrier ON some_table USING (current_user = >> organization_id); >> >> This policy makes that only users of that organization can access to >> their rows. >> >> The point is that how to set current_user with Sequel. I looked into >> Sequel code, and probably the code below may work well. How do you think >> about it? >> >> DB.synchronize { >> DB["SET ROLE ?", organization_id] >> >> begin >> # call actual business logics here >> ensure >> DB["SET ROLE admin"] >> end >> } >> >> Only drawback with this code is that it cannot use read replicas at all, >> but I think currently there is no possible way to avoid that, right? >> > > I haven't actually tried that approach, but it looks like it or something > similar should work assuming admin has the permission to SET ROLE. You'd > probably want to use RESET ROLE in the ensure clause, though I'm not sure > if that matters. > > Thanks, > Jeremy > > -- > You received this message because you are subscribed to the Google Groups > "sequel-talk" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/sequel-talk. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sequel-talk. For more options, visit https://groups.google.com/d/optout.
