Re: Docs and tests for RLS policies applied by command type
jian he <jian.universality@gmail.com>
From: jian he <jian.universality@gmail.com>
To: Viktor Holmberg <v@viktorh.net>
Cc: PostgreSQL Hackers <pgsql-hackers@postgresql.org>,
Dean Rasheed <dean.a.rasheed@gmail.com>
Date: 2025-10-23T08:22:27Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
doc: Improve description of RLS policies applied by command type.
- 7aa83ea57845 14.21 landed
- c663152adcec 15.16 landed
- 8d43607cd422 16.12 landed
- d60dabfe2507 17.8 landed
- 749f4ce4d984 18.2 landed
- 7dc4fa91413d 19 (unreleased) landed
-
Add new RLS tests to test policies applied by command type.
- 2e84248d6497 19 (unreleased) landed
Attachments
- v2-0001-refactor-New-RLS-tests-to-test-policies-applied-by-command-typ.no-cfbot (application/octet-stream)
On Tue, Oct 21, 2025 at 12:01 AM Viktor Holmberg <v@viktorh.net> wrote: > > So patch 0001, attached, adds a new set of regression tests, near the > start of rowsecurity.sql, which specifically tests which policies are > applied for each command variant. > hi. I only applied the 0001. it would be better to add some comments to the regress tests, IMHO. for example, for below: +SELECT * FROM rls_test_src FOR UPDATE; +SELECT * FROM rls_test_src FOR NO KEY UPDATE; +SELECT * FROM rls_test_src FOR SHARE; +SELECT * FROM rls_test_src FOR KEY SHARE; we could add a comment such as: "Expect both UPDATE and the SELECT command policies to be invoked for these four below query". seems missing tests for INSERT ... ON CONFLICT DO NOTHING which only INSERT policy to be invoked. The 0001 regess tests define several functions: sel_using_fn, ins_check_fn, upd_using_fn, upd_check_fn, and del_using_fn. IMHO, these could be simplified (we probably only need two functions). see the attached version for my attempt to reduce them.