Re: INSERT ... ON CONFLICT UPDATE and RLS

Dean,

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:
> Attached is a patch to make RLS checks run before attempting to
> insert/update any data rather than afterwards.

Excellent, many thanks!

> In the end I decided not to create a new structure for RLS checks
> because most of the code that handles them treats them the same as
> WCOs. Instead, I just added a new 'kind' enum field to the existing
> structure and renamed/reworded things a bit.

Makes sense to me.  I like being able to easily differentiate the two
from each other now while also not needing to duplicate a bunch of code.
I also like the reworded error messages.

I am wondering if we should, perhaps, rename ri_WithCheckOptions or
ExecWithCheckOptions() (or even more..) to indicate that they're used
for both view-based WITH CHECK options and for RLS.

We'll need to update this patch once the fixes for the WITH CHECK leaks
go in, of course.

> The patch also changes the error message for a RLS check violation, to
> make the cause of the error clearer. One thing I'm not sure about is
> what sqlstate code to use for this error, but I don't think that using
> WITH_CHECK_OPTION_VIOLATION is appropriate, because that seems to be
> specifically intended for views.

Hmm, agreed.  Any thoughts on what to use?  We could fall back on
something like ERRCODE_INSUFFICIENT_PRIVILEGE if necessary, I suppose.
Thanks!
    Stephen