The following documentation comment has been logged on the website:
Page: https://www.postgresql.org/docs/11/sql-createpolicy.html
Description:
It's not clear enough from reading the documentation on RLS security policy
that schema designers need to pay special attention to views and their
ownership. (Views will bypass RLS security in the common case that they are
owned by a super user.) I have seen this misunderstanding lead to
unexpected data exposure.
This *is* clarified at the very bottom of the Notes section on the `create
policy` document, but I believe it justifies having a clear and prominent
call out. Thank you!