Re: Docs and tests for RLS policies applied by command type

jian he <jian.universality@gmail.com>

From: jian he <jian.universality@gmail.com>
To: Viktor Holmberg <v@viktorh.net>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>, Dean Rasheed <dean.a.rasheed@gmail.com>
Date: 2025-10-23T08:22:27Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. doc: Improve description of RLS policies applied by command type.

  2. Add new RLS tests to test policies applied by command type.

Attachments

On Tue, Oct 21, 2025 at 12:01 AM Viktor Holmberg <v@viktorh.net> wrote:
>
> So patch 0001, attached, adds a new set of regression tests, near the
> start of rowsecurity.sql, which specifically tests which policies are
> applied for each command variant.
>
hi.
I only applied the 0001.

it would be better to add some comments to the regress tests, IMHO.
for example, for below:
+SELECT * FROM rls_test_src FOR UPDATE;
+SELECT * FROM rls_test_src FOR NO KEY UPDATE;
+SELECT * FROM rls_test_src FOR SHARE;
+SELECT * FROM rls_test_src FOR KEY SHARE;

we could add a comment such as:
"Expect both UPDATE and the SELECT command policies to be invoked for
these four below query".

seems missing tests for INSERT ... ON CONFLICT DO NOTHING
which only INSERT policy to be invoked.

The 0001 regess tests define several functions: sel_using_fn,
ins_check_fn, upd_using_fn,
upd_check_fn, and del_using_fn.
IMHO, these could be simplified (we probably only need two functions).

see the attached version for my attempt to reduce them.