Re: view permissions problem - featuer or bug?
| От | Tom Lane |
|---|---|
| Тема | Re: view permissions problem - featuer or bug? |
| Дата | |
| Msg-id | 25972.963102858@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: view permissions problem - featuer or bug? (Travis Bauer <trbauer@indiana.edu>) |
| Список | pgsql-general |
Travis Bauer <trbauer@indiana.edu> writes:
> That part works okay, but here is a more complicated situation that
> doesn't:
> create user user1;
> create table t1 (x int, y int);
> create table t2 (a int, y int);
> create view v1 as select * from t1 where x in (select a from t2);
> ------------------
> create view v2 as select * from v1 where x>3;
> revoke all on t1 from public;
> revoke all on t2 from public;
> revoke all on v1 from public;
> revoke all on v2 from public;
> grant select on v2 to user1;
> \c - user1
> select * from v2;
> ====> v1: Permission denied.
> The problem occurs because of the nested select underlined above.
I agree, this is a bug. The rewriter checks access permissions on the
basis of the rule's creator, not of the rule's invoker --- but it only
does so at the top level of the rule query. It forgets to recurse into
subqueries :-(. Fairly easy fix, will work on it for 7.1.
regards, tom lane
В списке pgsql-general по дате отправления: