Re: [HACKERS] Row Level Security Bug ?

On 11/12/2017 10:17 AM, Andrea Adami wrote:
> if i do:
>
> SET ROLE 'manager-a@scuola-1.it <mailto:manager-a@scuola-1.it>'

[SELECT from table]

> i see only one row (as expected)
>
> but when i do:

[SELECT from VIEWs]

> I see all the rows always
>
> this way i lack all the row level security i defined
>
> is this either a bug or it's made by design ?
> if it's made by design why ?
> Is there  a way to write view that respect the row level security ?
> For my point of view is a nonsense make a row level security that
> doesn't work with the view.

See:
https://www.postgresql.org/docs/10/static/sql-createview.html
In particular: "Access to tables referenced in the view is determined by
permissions of the view owner."

And:
https://www.postgresql.org/docs/10/static/ddl-rowsecurity.html
"Superusers and roles with the BYPASSRLS attribute always bypass the row
security system when accessing a table. Table owners normally bypass row
security as well, though a table owner can choose to be subject to row
security with ALTER TABLE ... FORCE ROW LEVEL SECURITY."

HTH,

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development