Re: SE-PostgreSQL and row level security

Robert Haas <robertmhaas@gmail.com> writes:
> 2. Foreign-key constraints.
> (A) If you have update or delete privileges on a table that is
> referenced by foreign keys, you might be able to infer the existence
> of a hidden, referring row because your update or delete fails.

Also the other direction (insert or update on the referencing table
lets you infer contents of the referenced table).

> Is there anything else?

If we ever had SQL-spec ASSERTIONS, they'd create hard-to-analyze
issues of this sort.  I've also seen people abuse CHECK constraints
in ways that expose data cross-row (they shouldn't do so, but...)

> Also, don't problems 2(A) and 2(B) already exist with just table-level
> DAC?  What happens today if you give permission on the referring table
> but not the referred-to table, or the other way around?

I'm repeating myself, but: the reason it isn't a problem now is that
plain SQL doesn't claim to be able to hide the existence of data.
        regards, tom lane