Rules and Permissions docs change (was Re: BUG #1610: rewrite rule and sequence)

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Richard Huxton <[email protected]>
To: Olleg Samoylov <[email protected]>
Cc: [email protected]
Cc: [email protected]
Subject: Rules and Permissions docs change (was Re: BUG #1610: rewrite rule and sequence)
Date: Fri, 22 Apr 2005 09:03:17 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>

Olleg Samoylov wrote:
> Richard Huxton wrote:
> 
>> That's not a bug, it's a feature (as they say). I suppose you could
>> argue that a sequence only used by one table could inherit that
>> table's permissions by default, but I can see problems when people
>> reorder GRANT statements.

> It's not feature, it's bug. From postgresql documentation 33.4. Rules
> and Privileges:
> <quote> Relations that are used due to rules get checked against the
> privileges of the rule owner, not the user invoking the rule. This means
> that a user only needs the required privileges for the tables/views that
> he names explicitly in his queries.</quote>
> 
> This dont' true for tables with serial fields.

Hmm - perhaps the documentation needs expanding. Certainly, if your view 
references functions you need to make sure permissions are set correctly 
on those.

How about changes along the lines of:

Ch 33.4, para 2
"... Relations that are used due to rules get checked against the 
privileges of the rule owner, not the user invoking the rule. This means 
that a user only needs the required privileges for the objects[1] that 
he names explicitly in his queries."

then

"[1] This includes permissions on tables and views you reference in your 
view definition. It might also include execute permissions on any 
functions referenced, and for updates, permissions on any sequences. 
This includes sequences automatically created by use of the SERIAL type."

Perhaps we should also have a reminder to read the rules chapter in the 
serial description (ch 8.1.4)

--
   Richard Huxton
   Archonet Ltd

view thread (5+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Rules and Permissions docs change (was Re: BUG #1610: rewrite rule and sequence)
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox