NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit2ca9d54

committed

Apply SELECT policies in INSERT/UPDATE+RETURNING

Similar to7d8db3e, given that INSERT+RETURNING requires SELECT rightson the table, apply the SELECT policies as WCOs to the tuples beinginserted. Apply the same logic to UPDATE+RETURNING.Back-patch to 9.5 where RLS was added.

1 parent4158cc3 commit2ca9d54Copy full SHA for 2ca9d54

File tree

1 file changed

+29

-3

lines changed

src/backend/rewrite
- rowsecurity.c

1 file changed

+29

-3

lines changed

`‎src/backend/rewrite/rowsecurity.c`

Lines changed: 29 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -271,6 +271,30 @@ get_row_security_policies(Query root, RangeTblEntry rte, int rt_index,`
`271`	`271`	`withCheckOptions,`
`272`	`272`	`hasSubLinks);`
`273`	`273`
	`274`	`+/*`
	`275`	`+ * Get and add ALL/SELECT policies, if SELECT rights are required`
	`276`	`+ * for this relation (eg: when RETURNING is used). These are added as`
	`277`	`+ * WCO policies rather than security quals to ensure that an error is`
	`278`	`+ * raised if a policy is violated; otherwise, we might end up silently`
	`279`	`+ * dropping rows to be added.`
	`280`	`+ */`
	`281`	`+if (rte->requiredPerms&ACL_SELECT)`
	`282`	`+{`
	`283`	`+List*select_permissive_policies=NIL;`
	`284`	`+List*select_restrictive_policies=NIL;`
	`285`	`+`
	`286`	`+get_policies_for_relation(rel,CMD_SELECT,user_id,`
	`287`	`+&select_permissive_policies,`
	`288`	`+&select_restrictive_policies);`
	`289`	`+add_with_check_options(rel,rt_index,`
	`290`	`+commandType==CMD_INSERT ?`
	`291`	`+WCO_RLS_INSERT_CHECK :WCO_RLS_UPDATE_CHECK,`
	`292`	`+select_permissive_policies,`
	`293`	`+select_restrictive_policies,`
	`294`	`+withCheckOptions,`
	`295`	`+hasSubLinks);`
	`296`	`+}`
	`297`	`+`
`274`	`298`	`/*`
`275`	`299`	`* For INSERT ... ON CONFLICT DO UPDATE we need additional policy`
`276`	`300`	`* checks for the UPDATE which may be applied to the same RTE.`
`@@ -300,9 +324,11 @@ get_row_security_policies(Query root, RangeTblEntry rte, int rt_index,`
`300`	`324`	`hasSubLinks);`
`301`	`325`
`302`	`326`	`/*`
`303`		`- * Get and add ALL/SELECT policies, if SELECT rights are required`
`304`		`- * for this relation, also as WCO policies, again, to avoid`
`305`		`- * silently dropping data. See above.`
	`327`	`+ * Get and add ALL/SELECT policies, as WCO_RLS_CONFLICT_CHECK`
	`328`	`+ * WCOs to ensure they are considered when taking the UPDATE`
	`329`	`+ * path of an INSERT .. ON CONFLICT DO UPDATE, if SELECT`
	`330`	`+ * rights are required for this relation, also as WCO policies,`
	`331`	`+ * again, to avoid silently dropping data. See above.`
`306`	`332`	`*/`
`307`	`333`	`if (rte->requiredPerms&ACL_SELECT)`
`308`	`334`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2ca9d54

File tree

1 file changed

1 file changed

`‎src/backend/rewrite/rowsecurity.c`

0 commit comments