@@ -350,9 +350,18 @@ CREATE [ OR REPLACE ] FUNCTION
350350 effects. It reveals no information about its arguments other than by
351351 its return value. For example, a function which throws an error message
352352 for some argument values but not others, or which includes the argument
353- values in any error message, is not leakproof. The query planner may
354- push leakproof functions (but not others) into views created with the
355- <literal>security_barrier</literal> option. See
353+ values in any error message, is not leakproof. This affects how the
354+ system executes queries against views created with the
355+ <literal>security_barrier</literal> option or tables with row level
356+ security enabled. The system will enforce conditions from security
357+ policies and security barrier views before any user-supplied conditions
358+ from the query itself that contain non-leakproof functions, in order to
359+ prevent the inadvertent exposure of data. Functions and operators
360+ marked as leakproof are assumed to be trustworthy, and may be executed
361+ before conditions from security policies and security barrier views.
362+ In addtion, functions which do not take arguments or which are not
363+ passed any arguments from the security barrier view or table do not have
364+ to be marked as leakproof to be executed before security conditions. See
356365 <xref linkend="sql-createview"> and <xref linkend="rules-privileges">.
357366 This option can only be set by the superuser.
358367 </para>