Re: Docs and tests for RLS policies applied by command type

Dean Rasheed <dean.a.rasheed@gmail.com>

From: Dean Rasheed <dean.a.rasheed@gmail.com>
To: jian he <jian.universality@gmail.com>
Cc: Viktor Holmberg <v@viktorh.net>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2025-10-23T15:14:56Z
Lists: pgsql-hackers

Attachments

On Thu, 23 Oct 2025 at 09:23, jian he <jian.universality@gmail.com> wrote:
>
> On Tue, Oct 21, 2025 at 12:01 AM Viktor Holmberg <v@viktorh.net> wrote:
> >
> > So patch 0001, attached, adds a new set of regression tests, near the
> > start of rowsecurity.sql, which specifically tests which policies are
> > applied for each command variant.
> >
> hi.
> I only applied the 0001.
>
> it would be better to add some comments to the regress tests, IMHO.
> for example, for below:
> +SELECT * FROM rls_test_src FOR UPDATE;
> +SELECT * FROM rls_test_src FOR NO KEY UPDATE;
> +SELECT * FROM rls_test_src FOR SHARE;
> +SELECT * FROM rls_test_src FOR KEY SHARE;
>
> we could add a comment such as:
> "Expect both UPDATE and the SELECT command policies to be invoked for
> these four below query".

Thank you both for the reviews.

Attached is a new version with more comments in the tests, focusing on
what is expected from each test.

> The 0001 regess tests define several functions: sel_using_fn,
> ins_check_fn, upd_using_fn,
> upd_check_fn, and del_using_fn.
> IMHO, these could be simplified (we probably only need two functions).

Good point. Actually it can be done with just one function, further
reducing the amount of test code.

A recent commit reminded me that COPY ... TO also applies RLS SELECT
policies (and so does TABLE, though I doubt many people use that), so
I think it's worth testing and documenting those too. Updated patches
attached.

Regards,
Dean