test.sql

application/octet-stream

Filename: test.sql
Type: application/octet-stream
Part: 0
Message: Re: [v9.3] Row-Level Security
-- Setup
DROP TABLE IF EXISTS foo, bar CASCADE;
DROP USER IF EXISTS foo;

CREATE TABLE foo(a int PRIMARY KEY);
INSERT INTO foo SELECT * FROM generate_series(-10, 10);

CREATE USER foo;
GRANT SELECT ON foo TO foo;

-- Self-referencing RLS qual - goes into infinite recursion in planner
ALTER TABLE foo SET ROW LEVEL SECURITY (a < (SELECT max(a) FROM foo));

SET SESSION AUTHORIZATION foo;
EXPLAIN SELECT * FROM foo;
SELECT * FROM foo;
RESET SESSION AUTHORIZATION;

-- Simple RLS qual to prevent user foo from seeing rows with a <= 0
ALTER TABLE foo SET ROW LEVEL SECURITY (a > 0);

SET SESSION AUTHORIZATION foo;
SELECT * FROM foo;
EXPLAIN SELECT * FROM foo WHERE a = 5;

-- User foo can bypass RLS qual with another RLS qual on own table
CREATE TABLE bar(a int);
INSERT INTO bar SELECT * FROM generate_series(-20, 20);
ALTER TABLE bar SET ROW LEVEL SECURITY (a IN (SELECT * FROM foo));
EXPLAIN SELECT * FROM bar;
ALTER TABLE bar SET ROW LEVEL SECURITY (EXISTS(SELECT 1 FROM foo
                                                WHERE foo.a = bar.a));
EXPLAIN SELECT * FROM bar;
SELECT * FROM bar;

-- RLS qual referencing a VIEW fails
CREATE VIEW foo_v AS SELECT * FROM foo;
ALTER TABLE bar SET ROW LEVEL SECURITY (a IN (SELECT * FROM foo_v));
EXPLAIN SELECT * FROM bar;
SELECT * FROM bar;