Re: Add SECURITY_INVOKER_VIEWS option to CREATE DATABASE

Laurenz Albe <laurenz.albe@cybertec.at>

From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Steve Chavez <steve@supabase.io>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2026-01-29T06:25:10Z
Lists: pgsql-hackers
On Wed, 2026-01-28 at 15:43 -0500, Steve Chavez wrote:
> But that is a property of just regular views not necessarily security_barrier right? i.e. "to be able to hide certain columns".

Right, but without "security_barries = on" it may be that a sneaky attacker
can subvert the security.  With that setting, only LEAKPROOF functions and
operators are can be pushed into the view definition.

But we are getting off-topic.  My point is that your proposed database setting
would change the behavior of such a view so that it wouldn't work any more.

Yours,
Laurenz Albe