Re: [PATCH] Add reloption for views to enable RLS
| От | walther@technowledgy.de |
|---|---|
| Тема | Re: [PATCH] Add reloption for views to enable RLS |
| Дата | |
| Msg-id | 916f42ab-cc7c-2d56-f734-c0fa12522ae2@technowledgy.de обсуждение исходный текст |
| Ответ на | [PATCH] Add reloption for views to enable RLS (Christoph Heiss <christoph.heiss@cybertec.at>) |
| Список | pgsql-hackers |
Laurenz Albe: > So even though the view owner "duff" has no permissions > on the schema "viewtest", we can still select from the table. > Permissions on the schema containing the table are not > checked, only permissions on the table itself. > > I am not sure how to feel about this. It is not what I would have > expected, but changing it would be a compatibility break. > Should this be considered a live bug in PostgreSQL? I now found the docs to say: USAGE: For schemas, allows access to objects contained in the schema (assuming that the objects' own privilege requirements are also met). Essentially this allows the grantee to “look up” objects within the schema. Without this permission, it is still possible to see the object names, e.g., by querying system catalogs. Also, after revoking this permission, existing sessions might have statements that have previously performed this lookup, so this is not a completely secure way to prevent object access. So, this seems to be perfectly fine. Best Wolfgang
В списке pgsql-hackers по дате отправления: