Re: Row security violation error is misleading
| От | Craig Ringer |
|---|---|
| Тема | Re: Row security violation error is misleading |
| Дата | |
| Msg-id | CAMsr+YEFNJOT+R7zSMZoBqoDhAU-++i2swKS5NpuMSYB4U+qCw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Row security violation error is misleading (Dean Rasheed <dean.a.rasheed@gmail.com>) |
| Список | pgsql-hackers |
On 9 April 2015 at 14:56, Dean Rasheed <dean.a.rasheed@gmail.com> wrote:
On 8 April 2015 at 16:27, Stephen Frost <sfrost@snowman.net> wrote:
> * Dean Rasheed (dean.a.rasheed@gmail.com) wrote:
>> I actually re-used the sql status code 42501 -
>> ERRCODE_INSUFFICIENT_PRIVILEGE for a RLS check failure because of the
>> parallel with permissions checks, but I quite like Craig's idea of
>> inventing a new status code for this, so that it can be more easily
>> distinguished from a lack of GRANTed privileges.
>
> As I mentioned to Kevin, I'm not sure that this is really a useful
> distinction. I'm quite curious if other systems provide that
> distinction between grant violations and policy violations. If they do
> then that would certainly bolster the argument to provide the
> distinction in PG.
>
OK, on further reflection I think that's probably right.
ERRCODE_INSUFFICIENT_PRIVILEGE is certainly more appropriate than
anything based on a WCO violation, because it reflects the fact that
the current user isn't allowed to perform the insert/update, but
another user might be allowed, so this is a privilege problem, not a
data error.
I'd be OK with that too. Reusing WCO's code for something that isn't really "with check option" at all was my concern, really.
В списке pgsql-hackers по дате отправления: