Re: Insert..returning (was Re: Re: postgres TODO)

Philip Warner <pjw@rhyme.com.au>

From: Philip Warner <pjw@rhyme.com.au>
To: darcy@druid.net (D'Arcy J.M. Cain)
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Michael J Schout <mschout@gkg.net>, Alessio Bragadini <alessio@albourne.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2000-07-12T11:27:14Z
Lists: pgsql-hackers
At 05:14 12/07/00 -0400, D'Arcy J.M. Cain wrote:
>Thus spake Philip Warner
>> >  Not to mention the juicy topics of access permissions and
>> >possible errors.
>> 
>> Can't one fall back here on the 'insert followed by select' analogy? Or is
>> there a specific example that you have in mind?
>
>I think the thing he has in mind is the situation where one has insert
>perms but not select.  The decision is whether to have the insert fail
>if the select fails.  Or, do you allow the (virtual) select in this
>case since it is your own inserted row you are trying to read?

I would be inclined to follow the perms; is there a problem with that? You
should not let them read the row they inserted since it *may* contain
sensitive (automatically generated) data - the DBA must have had a reason
for preventing SELECT.

The next question is whether they should be allowed to do the insert, and
again I would be inclined to say 'no'. Can we check perms easily at the start?


----------------------------------------------------------------
Philip Warner                    |     __---_____
Albatross Consulting Pty. Ltd.   |----/       -  \
(A.C.N. 008 659 498)             |          /(@)   ______---_
Tel: (+61) 0500 83 82 81         |                 _________  \
Fax: (+61) 0500 83 82 82         |                 ___________ |
Http://www.rhyme.com.au          |                /           \|
                                 |    --________--
PGP key available upon request,  |  /
and from pgp5.ai.mit.edu:11371   |/