<entry><type>boolean</type></entry>

<entry>does current user have privilege for role</entry>

</row>

<row>

<entry><literal><function>row_security_active</function>(<parameter>table</parameter>)</literal>

</entry>

<entry><type>boolean</type></entry>

<entry>does current user have row level security active for table</entry>

</row>

</tbody>

</tgroup>

</table>

<indexterm>

<primary>pg_has_role</primary>

</indexterm>

<indexterm>

<primary>row_security_active</primary>

</indexterm>

<para>

<function>has_table_privilege</function> checks whether a user

are immediately available without doing <command>SET ROLE</>.

</para>

<para>

<function>row_security_active</function> checks whether row level

security is active for the specified table in the context of the

<function>current_user</function> and environment. The table can

be specified by name or by OID.

</para>

<para>

<xref linkend="functions-info-schema-table"> shows functions that

determine whether a certain object is <firstterm>visible</> in the

Assert(indexrelid==idxrec->indexrelid);

if (check_enable_rls(indrelid,GetUserId(), true)==RLS_ENABLED)

if (check_enable_rls(indrelid,InvalidOid, true)==RLS_ENABLED)

{

ReleaseSysCache(ht_idx);

returnNULL;

LEFT JOIN pg_tablespace TON (T.oid=I.reltablespace)

WHEREC.relkindIN ('r','m')ANDI.relkind='i';

nspnameAS schemaname,

relnameAS tablename,

FROM pg_statistic sJOIN pg_class cON (c.oid=s.starelid)

JOIN pg_attribute aON (c.oid= attrelidAND attnum=s.staattnum)

LEFT JOIN pg_namespace nON (n.oid=c.relnamespace)

WHERE NOT attisdroppedAND has_column_privilege(c.oid,a.attnum,'select');

WHERE NOT attisdropped

AND has_column_privilege(c.oid,a.attnum,'select')

AND (c.relrowsecurity= falseOR NOT row_security_active(c.oid));

REVOKE ALLon pg_statisticFROM public;

if (check_enable_rls(reloid,GetUserId(), true)==RLS_ENABLED)

if (check_enable_rls(reloid,InvalidOid, true)==RLS_ENABLED)

returnNULL;

initStringInfo(&buf);

Relationrel;

Oiduser_id;

intsec_context;

intrls_status;

booldefaultDeny= false;

*hasRowSecurity= false;

*hasSubLinks= false;

GetUserIdAndSecContext(&user_id,&sec_context);

if (rte->relkind!=RELKIND_RELATION)

return;

user_id=rte->checkAsUser ?rte->checkAsUser :GetUserId();

if (rte->relid<FirstNormalObjectId

|| (sec_context&SECURITY_ROW_LEVEL_DISABLED))

return;

rls_status=check_enable_rls(rte->relid,rte->checkAsUser, false);

if (check_enable_rls(rel_oid,GetUserId(), true)!=RLS_ENABLED)

if (check_enable_rls(rel_oid,InvalidOid, true)!=RLS_ENABLED)

{

aclresult=pg_class_aclcheck(rel_oid,GetUserId(),ACL_SELECT);

if (aclresult!=ACLCHECK_OK)

}

}

}

has_perm= false;

if (has_perm)

{

CachedPlanSource*plansource;

MemoryContextsource_context;

MemoryContextoldcxt;

Oiduser_id;

intsecurity_context;

Assert(query_string!=NULL);/* required as of 8.4 */

oldcxt=MemoryContextSwitchTo(source_context);

GetUserIdAndSecContext(&user_id,&security_context);

plansource= (CachedPlanSource*)palloc0(sizeof(CachedPlanSource));

plansource->magic=CACHEDPLANSOURCE_MAGIC;

plansource->raw_parse_tree=copyObject(raw_parse_tree);

plansource->total_custom_cost=0;

plansource->num_custom_plans=0;

plansource->hasRowSecurity= false;

= (security_context&SECURITY_ROW_LEVEL_DISABLED)!=0;

plansource->rowSecurityDisabled=InRowLevelSecurityDisabled();

plansource->row_security_env=row_security;

plansource->planUserId=InvalidOid;

return (SecurityRestrictionContext&SECURITY_RESTRICTED_OPERATION)!=0;

}

InRowLevelSecurityDisabled(void)

{

return (SecurityRestrictionContext&SECURITY_ROW_LEVEL_DISABLED)!=0;

}

boolrelrowsecurity;

Oiduser_id=checkAsUser ?checkAsUser :GetUserId();

if (relid<FirstNormalObjectId)

returnRLS_NONE;

if (InRowLevelSecurityDisabled())

returnRLS_NONE;

tuple=SearchSysCache1(RELOID,ObjectIdGetDatum(relid));

if (!HeapTupleIsValid(tuple))

returnRLS_NONE;

returnRLS_ENABLED;

}

row_security_active(PG_FUNCTION_ARGS)

{

Oidtableoid=PG_GETARG_OID(0);

intrls_status;

rls_status=check_enable_rls(tableoid,InvalidOid, true);

PG_RETURN_BOOL(rls_status==RLS_ENABLED);

}

row_security_active_name(PG_FUNCTION_ARGS)

{

text*tablename=PG_GETARG_TEXT_P(0);

RangeVar*tablerel;

Oidtableoid;

intrls_status;

tablerel=makeRangeVarFromNameList(textToQualifiedNameList(tablename));

tableoid=RangeVarGetRelid(tablerel,NoLock, false);

rls_status=check_enable_rls(tableoid,InvalidOid, true);

PG_RETURN_BOOL(rls_status==RLS_ENABLED);

}

#define PROVOLATILE_STABLE's'/* does not change within a scan */

#define PROVOLATILE_VOLATILE'v'/* can change even within a scan */

/* rls */

DATA(insert OID = 3298 ( row_security_active PGNSP PGUID 12 1 0 0 0 f f f f t f s 1 0 16 "26" _null_ _null_ _null_ _null_ _null_row_security_active _null_ _null_ _null_ ));

DESCR("row security for current context active on table by table oid");

DATA(insert OID = 3299 ( row_security_active PGNSP PGUID 12 1 0 0 0 f f f f t f s 1 0 16 "25" _null_ _null_ _null_ _null_ _null_row_security_active_name _null_ _null_ _null_ ));

DESCR("row security for current context active on table by table name");

/*

* Symbolic values for proargmodes column. Note that these must agree with

* the FunctionParameterMode enum in parsenodes.h; we declare them here to

externvoidSetUserIdAndSecContext(Oiduserid,intsec_context);

externboolInLocalUserIdChange(void);

externboolInSecurityRestrictedOperation(void);

externboolInRowLevelSecurityDisabled(void);

externvoidGetUserIdAndContext(Oid*userid,bool*sec_def_context);

externvoidSetUserIdAndContext(Oiduserid,boolsec_def_context);

externvoidInitializeSessionUserId(constchar*rolename,Oiduseroid);

externDatumshow_all_settings(PG_FUNCTION_ARGS);

externDatumshow_all_file_settings(PG_FUNCTION_ARGS);

externDatumrow_security_active(PG_FUNCTION_ARGS);

externDatumrow_security_active_name(PG_FUNCTION_ARGS);

externDatumpg_lock_status(PG_FUNCTION_ARGS);

externDatumpg_advisory_lock_int8(PG_FUNCTION_ARGS);

DELETE FROM category WHERE cid = 33; -- fails with FK violation

ERROR: update or delete on table "category" violates foreign key constraint "document_cid_fkey" on table "document"

DETAIL: Key(cid)=(33)is still referenced from table "document".

DETAIL: Key is still referenced from table "document".

-- can insert FK referencing invisible PK

SET SESSION AUTHORIZATION rls_regress_user2;

SELECT * FROM document d FULL OUTER JOIN category c on d.cid = c.cid;

(1 row)

COMMIT;

--

-- check pg_stats view filtering

--

SET row_security TO ON;

SET SESSION AUTHORIZATION rls_regress_user0;

ANALYZE current_check;

-- Stats visible

SELECT row_security_active('current_check');

row_security_active

---------------------

f

(1 row)

SELECT most_common_vals FROM pg_stats where tablename = 'current_check';

most_common_vals

---------------------

{rls_regress_user1}

(3 rows)

SET SESSION AUTHORIZATION rls_regress_user1;

-- Stats not visible

SELECT row_security_active('current_check');

row_security_active

---------------------

t

(1 row)

SELECT most_common_vals FROM pg_stats where tablename = 'current_check';

most_common_vals

------------------

(0 rows)

--

-- Collation support

--

BEGIN;

SET row_security= force;

SET row_securityTO FORCE;

CREATE TABLE coll_t (c) AS VALUES ('bar'::text);

CREATE POLICY coll_p ON coll_t USING (c < ('foo'::text COLLATE "C"));

ALTER TABLE coll_t ENABLE ROW LEVEL SECURITY;

JOIN pg_class c ON ((c.oid = s.starelid)))

JOIN pg_attribute a ON (((c.oid = a.attrelid) AND (a.attnum = s.staattnum))))

LEFT JOIN pg_namespace n ON ((n.oid = c.relnamespace)))

WHERE ((NOT a.attisdropped) AND has_column_privilege(c.oid, a.attnum, 'select'::text));

WHERE ((NOT a.attisdropped) AND has_column_privilege(c.oid, a.attnum, 'select'::text) AND ((c.relrowsecurity = false) OR (NOT row_security_active(c.oid))));

pg_tables| SELECT n.nspname AS schemaname,

c.relname AS tablename,

pg_get_userbyid(c.relowner) AS tableowner,