Re: [v9.3] Row-Level Security

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>, Kohei KaiGai <kaigai@kaigai.gr.jp>, Dean Rasheed <dean.a.rasheed@gmail.com>, Florian Pflug <fgp@phlo.org>, PgHacker <pgsql-hackers@postgresql.org>
Date: 2012-10-22T16:17:33Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> The documentation lists several documented limitations that I would
> like to analyze a little bit.  First, it says that row-level security
> policies are not applied on UPDATE or DELETE.  That sounds downright
> dangerous to me.  Is there some really compelling reason we're not
> doing it?

[ blink... ]  Isn't that a security hole big enough for a Mack truck?

	UPDATE tab SET foo = foo RETURNING *;

sucks out all the data just fine, if RLS doesn't apply to it.

Having said that, I fear that sensible row-level security for updates is
at least one order of magnitude harder than sensible row-level security
for selects.  We've speculated about how to define that in the past,
IIRC, but without any very satisfactory outcome.

			regards, tom lane