Thread

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Make geometry cast functions error safe

  1. [PATCH] Report column-level error when lacking privilege

    Steve Chavez <steve@supabase.io> — 2026-03-30T01:07:31Z

    Hello hackers,
    
    When a role `xx` has `grant select (name) on items to xx;`, a generic
    table-level error is given:
    
    select * from items;
    ERROR:  permission denied for table items
    
    With this patch, we now give:
    
    select * from items;
    ERROR:  permission denied for column "id" of relation "items"
    
    This only when the user has column-level privileges, if it doesn't have any
    the same regular table-level error is given. This makes the most sense and
    also keeps current tests mostly the same.
    
    * It also works for UPDATE and INSERT.
    * Clears the TODO mentioned on lines
    https://github.com/postgres/postgres/blob/45cdaf3665bedfbabb908bb84284f3db26781ad3/src/backend/executor/execMain.c#L691-L693
    * This patch is on top of the patch mentioned on
    https://www.postgresql.org/message-id/CAGRrpzYP%2B3zEk__KZu-a5uWySfwgRFk6eoPXKrA5AdtBTXR%3Dng%40mail.gmail.com,
    which refactors the code to make it simpler to review.
    
    Best regards,
    Steve
    
  2. Re: [PATCH] Report column-level error when lacking privilege

    David G. Johnston <david.g.johnston@gmail.com> — 2026-03-30T03:34:56Z

    On Sun, Mar 29, 2026 at 6:07 PM Steve Chavez <steve@supabase.io> wrote:
    
    > When a role `xx` has `grant select (name) on items to xx;`, a generic
    > table-level error is given:
    >
    > select * from items;
    > ERROR:  permission denied for table items
    >
    > With this patch, we now give:
    >
    > select * from items;
    > ERROR:  permission denied for column "id" of relation "items"
    >
    >
    Not too fond of picking one column as a representative for the error
    message.  Better to say something like:
    
    ERROR:  permission denied for column subset of table items
    
    Haven't looked but it should be doable to run a query for a given relation
    and role and report for each column whether a grant is available or not;
    which would be the one-stop shop for figuring out which columns at least
    don't have permissions granted.  The user would still have to know which
    ones their query is actually using.
    
    David J.
    
  3. Re: [PATCH] Report column-level error when lacking privilege

    Ashutosh Bapat <ashutosh.bapat.oss@gmail.com> — 2026-03-30T15:21:40Z

    Hi Steve,
    
    
    On Mon, Mar 30, 2026 at 6:37 AM Steve Chavez <steve@supabase.io> wrote:
    >
    > Hello hackers,
    >
    > When a role `xx` has `grant select (name) on items to xx;`, a generic table-level error is given:
    >
    > select * from items;
    > ERROR:  permission denied for table items
    >
    > With this patch, we now give:
    >
    > select * from items;
    > ERROR:  permission denied for column "id" of relation "items"
    >
    > This only when the user has column-level privileges, if it doesn't have any the same regular table-level error is given. This makes the most sense and also keeps current tests mostly the same.
    >
    > * It also works for UPDATE and INSERT.
    > * Clears the TODO mentioned on lines
    > https://github.com/postgres/postgres/blob/45cdaf3665bedfbabb908bb84284f3db26781ad3/src/backend/executor/execMain.c#L691-L693
    > * This patch is on top of the patch mentioned on https://www.postgresql.org/message-id/CAGRrpzYP%2B3zEk__KZu-a5uWySfwgRFk6eoPXKrA5AdtBTXR%3Dng%40mail.gmail.com, which refactors the code to make it simpler to review.
    
    I had started on this some time ago [1], but couldn't finish it for
    the want of time. There are some suggestions from Nathan and Tom which
    may be applicable to you approach as well. I am fine if you would like
    to use my patches if those help.
    
    [1] https://www.postgresql.org/message-id/CAExHW5swFANiB9JmqRoGg_Rkr+M=qh+ci_zfOtQXFT+A=+jB-A@mail.gmail.com
    
    -- 
    Best Wishes,
    Ashutosh Bapat