Re: Possible typo in create_policy.sgml

On 30 January 2015 at 03:40, Stephen Frost <sfrost@snowman.net> wrote:
> * Robert Haas (robertmhaas@gmail.com) wrote:
>> On Thu, Jan 29, 2015 at 9:04 PM, Stephen Frost <sfrost@snowman.net> wrote:
>> > A policy grants the ability to SELECT, INSERT, UPDATE, or DELETE rows
>> > which match the relevant policy expression. Existing table rows are
>> > checked against the expression specified via USING, while new rows
>> > that would be created via INSERT or UPDATE are checked against the
>> > expression specified via WITH CHECK.  When a USING expression returns
>> > false for a given row, that row is not visible to the user.  When a WITH
>> > CHECK expression returns false for a row which is to be added, an error
>> > occurs.
>>
>> Yeah, that's not bad.  I think it's an improvement, in fact.
>

Yes I like that too. My main concern was that we should be describing
policies in terms of permitting access to the table, not limiting
access, because of the default-deny policy, and this new text clears
that up.

One additional quibble -- it's misleading to say "expression returns
false" here (and later in the check_expression parameter description)
because if the expression returns null, that's also a failure. So it
ought to be "false or null", but perhaps it could just be described in
terms of rows matching the expression, with a separate note to say
that a row only matches a policy expression if that expression returns
true, not false or null.

Regards,
Dean