Re: Bug: RLS policy FOR SELECT is used to check new rows

Dean Rasheed <dean.a.rasheed@gmail.com> writes:
> On Tue, 24 Oct 2023 at 09:36, Laurenz Albe <laurenz.albe@cybertec.at> wrote:
>> I'd say that this error is wrong.  The FOR SELECT policy should be applied
>> to the WHERE condition, but certainly not to check new rows.

> Yes, I had the same thought recently. I would say that the SELECT
> policies should only be used to check new rows if the UPDATE has a
> RETURNING clause and SELECT permissions are required on the target
> relation.

> In other words, it should be OK to UPDATE a row to new values that are
> not visible according to the table's SELECT policies, provided that
> the UPDATE command does not attempt to return those new values. That
> would be consistent with what we do for INSERT.

> Note, that the current behaviour goes back a long way, though it's not
> quite clear whether this was intentional [1].

I'm fairly sure that it was intentional, but I don't recall the
reasoning; perhaps Stephen does.  In any case, I grasp your point
that maybe we should distinguish RETURNING from not-RETURNING cases.

            regards, tom lane