Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9f508a9

Browse files
committed
Doc: fix oversimplified example for CREATE POLICY.
As written, this policy constrained only the post-image not the pre-imageof rows, meaning that users could delete other users' rows or takeownership of such rows, contrary to what the docs claimed would happen.We need two separate policies to achieve the documented effect.While at it, try to explain what's happening a bit more fully.Per report from Олег Самойлов. Back-patch to 9.5 where this was added.Thanks to Stephen Frost for off-list discussion.Discussion:https://postgr.es/m/3298321532002010@sas1-2b3c3045b736.qloud-c.yandex.net
1 parent9abc656 commit9f508a9

File tree

1 file changed

+33
-9
lines changed

1 file changed

+33
-9
lines changed

‎doc/src/sgml/ddl.sgml

Lines changed: 33 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1620,33 +1620,57 @@ CREATE POLICY account_managers ON accounts TO managers
16201620
USING (manager = current_user);
16211621
</programlisting>
16221622

1623+
<para>
1624+
The policy above implicitly provides a <literal>WITH CHECK</literal>
1625+
clause identical to its <literal>USING</literal> clause, so that the
1626+
constraint applies both to rows selected by a command (so a manager
1627+
cannot <command>SELECT</command>, <command>UPDATE</command>,
1628+
or <command>DELETE</command> existing rows belonging to a different
1629+
manager) and to rows modified by a command (so rows belonging to a
1630+
different manager cannot be created via <command>INSERT</command>
1631+
or <command>UPDATE</command>).
1632+
</para>
1633+
16231634
<para>
16241635
If no role is specified, or the special user name
16251636
<literal>PUBLIC</literal> is used, then the policy applies to all
1626-
users on the system. To allow all users to access their own row in
1627-
a <literal>users</> table, a simple policy can be used:
1637+
users on the system. To allow all users to accessonlytheir own row in
1638+
a <literal>users</literal> table, a simple policy can be used:
16281639
</para>
16291640

16301641
<programlisting>
16311642
CREATE POLICY user_policy ON users
16321643
USING (user_name = current_user);
16331644
</programlisting>
16341645

1646+
<para>
1647+
This works similarly to the previous example.
1648+
</para>
1649+
16351650
<para>
16361651
To use a different policy for rows that are being added to the table
1637-
compared to those rows that are visible,the <literal>WITH CHECK</>
1638-
clause can be used. Thispolicy would allow all users to view all rows
1639-
in the <literal>users</> table, but only modify their own:
1652+
compared to those rows that are visible,multiple policies can be
1653+
combined. Thispair of policies would allow all users to view all rows
1654+
in the <literal>users</literal> table, but only modify their own:
16401655
</para>
16411656

16421657
<programlisting>
1643-
CREATE POLICY user_policy ON users
1644-
USING (true)
1645-
WITH CHECK (user_name = current_user);
1658+
CREATE POLICY user_sel_policy ON users
1659+
FOR SELECT
1660+
USING (true);
1661+
CREATE POLICY user_mod_policy ON users
1662+
USING (user_name = current_user);
16461663
</programlisting>
16471664

16481665
<para>
1649-
Row security can also be disabled with the <command>ALTER TABLE</>
1666+
In a <command>SELECT</command> command, these two policies are combined
1667+
using <literal>OR</literal>, with the net effect being that all rows
1668+
can be selected. In other command types, only the second policy applies,
1669+
so that the effects are the same as before.
1670+
</para>
1671+
1672+
<para>
1673+
Row security can also be disabled with the <command>ALTER TABLE</command>
16501674
command. Disabling row security does not remove any policies that are
16511675
defined on the table; they are simply ignored. Then all rows in the
16521676
table are visible and modifiable, subject to the standard SQL privileges

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp