Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sghKb-006MSy-IV
	for pgsql-general@arkaria.postgresql.org; Wed, 21 Aug 2024 09:08:41 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1sghKZ-008eAe-K4
	for pgsql-general@arkaria.postgresql.org; Wed, 21 Aug 2024 09:08:40 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <jian.universality@gmail.com>)
	id 1sghKZ-008eAU-8i
	for pgsql-general@lists.postgresql.org; Wed, 21 Aug 2024 09:08:39 +0000
Received: from mail-vk1-xa33.google.com ([2607:f8b0:4864:20::a33])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <jian.universality@gmail.com>)
	id 1sghKX-000hqS-7H
	for pgsql-general@lists.postgresql.org; Wed, 21 Aug 2024 09:08:38 +0000
Received: by mail-vk1-xa33.google.com with SMTP id 71dfb90a1353d-4fcf40c9ed3so233722e0c.2
        for <pgsql-general@lists.postgresql.org>; Wed, 21 Aug 2024 02:08:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1724231316; x=1724836116; darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=nQld7SW/KxtXSuZAP0Ib2vUzn+uvNf4nvAV/NDlhya4=;
        b=QkxVxjsUDdO9Jkui+64LEflNFuSdt4fLzd8XIP8U/eXub9whQ/I2Hy6dkPe5hibR4E
         nmYPv8cyiczUpMaVpl1N4gxZYqrfB9o6TcEdz/nJELZfXRaO1u8RTXnyd+L543lHyAVC
         juAjd0r03OZN7LxRGEqrjg6iotshafjhD8Yz6co8NoQYenWEXH/cXlZsRwBxXh/ZSeO8
         QTBp+AEcthsvUg7Qt0PxzRLuFOH8shVos3QpbFrdsgTVl++VQppuX+lWHZ9tsCGY+QeH
         iGqvQ7xTF7K4UACtDZ0VmduuLh2qoAceTP4F3/ofRKcT34I2ks8Jbr2fF020bSVFJQKW
         6mAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724231316; x=1724836116;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=nQld7SW/KxtXSuZAP0Ib2vUzn+uvNf4nvAV/NDlhya4=;
        b=loxAbYMkHPQgjNYYshXvlJzRTj+n+s++jW0jCRwQ/RVgMUq+X8ySREWUhXFYGB7H/H
         2VvxzPaWD1drt8ejGUtKsD2iZgr/cVJ9qlni9o3a7bElG+rH8j1GSdbgkkTYKDfUcS/D
         YIUhXHuWGTcwThrBVOyoDiuNOJD8u/0mnxHCDXZ1TISJAEag3H8+bRBJ+Mh/HYsjXd+S
         rBmN5rduXG1H41rE46xlneRJSpQAdPZHniNFKw3oLRCCc23MkBkCF1oY0ijytL6GM7nG
         dA2XaGq+f3E2jf5vgQUEe/xIiwKTR6KmhnWnZNVGhvReoPny1yokz/5F8WCSChgb0XyT
         xRcA==
X-Gm-Message-State: AOJu0YwSzG92a8X11gw97Lnh3OKiaXsi+H6+4G7oqJg4WIyn+mj/Lwno
	DfWrCPymyKkk9uGT7taN+U7gGTQyzzMXDoI1B3v2SSuoiG5ldqG+os0g36juW9xN7gf/HOx2Bi0
	06jbZ5ChP02bAnHWVh/p9fTWNaBAsEwt7c8w=
X-Google-Smtp-Source: AGHT+IFaFXvx1xN0Yry21wy+nnydU/HPgoPvkeauXxwIhKrqRpD3LAD2cFvPLVwsb+HyGejjySnu43PZPKQm5jzmBD0=
X-Received: by 2002:a05:6122:a05:b0:4f6:e87d:5160 with SMTP id
 71dfb90a1353d-4fcf1ceb208mr1930283e0c.9.1724231316163; Wed, 21 Aug 2024
 02:08:36 -0700 (PDT)
MIME-Version: 1.0
From: jian he <jian.universality@gmail.com>
Date: Wed, 21 Aug 2024 17:08:25 +0800
Message-ID: <CACJufxG31b+LwmxHz6xw9Qr+qc3VgQaRdpiaGUoZFrf=NBu48g@mail.gmail.com>
Subject: security invoker review need full select (all columns) to do DML?
To: pgsql-general list <pgsql-general@lists.postgresql.org>
Content-Type: text/plain; charset="UTF-8"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CACJufxG31b%2BLwmxHz6xw9Qr%2Bqc3VgQaRdpiaGUoZFrf%3DNBu48g%40mail.gmail.com>
Precedence: bulk

hi.

the following setup is extract from src/test/regress/sql/updatable_views.sql
you can search keywords: "-- ordinary view on top of security invoker
view permissions"

------------------------------------------------------------------------------------
CREATE USER regress_view_user1;
CREATE USER regress_view_user2;
CREATE USER regress_view_user3;
drop table if exists base_tbl cascade;
-- ordinary view on top of security invoker view permissions
CREATE TABLE base_tbl(a int, b text, c float);
INSERT INTO base_tbl VALUES (1, 'Row 1', 1.0);

SET SESSION AUTHORIZATION regress_view_user1;
CREATE VIEW rw_view1 AS SELECT b AS bb, c AS cc, a AS aa FROM base_tbl;
ALTER VIEW rw_view1 SET (security_invoker = true);
SELECT * FROM rw_view1;  -- not allowed
UPDATE rw_view1 SET aa=aa;  -- not allowed
MERGE INTO rw_view1 t USING (VALUES (2, 'Row 2', 2.0)) AS v(a,b,c) ON t.aa = v.a
  WHEN NOT MATCHED THEN INSERT VALUES (v.b, v.c, v.a); -- not allowed

SET SESSION AUTHORIZATION regress_view_user2;
CREATE VIEW rw_view2 AS SELECT cc AS ccc, aa AS aaa, bb AS bbb FROM rw_view1;
GRANT SELECT, UPDATE ON rw_view2 TO regress_view_user3;
SELECT * FROM rw_view2;  -- not allowed
UPDATE rw_view2 SET aaa=aaa;  -- not allowed
MERGE INTO rw_view2 t USING (VALUES (2, 'Row 2', 2.0)) AS v(a,b,c) ON
t.aaa = v.a
  WHEN NOT MATCHED THEN INSERT VALUES (v.c, v.a, v.b); -- not allowed

RESET SESSION AUTHORIZATION;
GRANT SELECT(a,b) ON base_tbl TO regress_view_user1;
GRANT UPDATE (a, b) ON base_tbl TO regress_view_user1;
------------------------------------------------------------------------------------
SET SESSION AUTHORIZATION regress_view_user1;
SELECT a, b FROM base_tbl; -- ok
SELECT aa, bb FROM rw_view1; -- ok
UPDATE rw_view1 SET aa=11, bb=22; --ok
UPDATE rw_view1 SET aa=11, bb=22 returning aa,bb; --not ok.

Should the last query be allowed?
The (Updatable Views section in create_view.sgml) didn't explain it or
I didn't fully understand it.

<<QUOTE from manual [1]
Note that the user performing the insert, update or delete on the view
must have the corresponding insert, update or delete privilege on the
view. In addition, by default, the view's owner must have the relevant
privileges on the underlying base relations, whereas the user
performing the update does not need any permissions on the underlying
base relations (see Section 41.5). However, if the view has
security_invoker set to true, the user performing the update, rather
than the view owner, must have the relevant privileges on the
underlying base relations.
<<end of the QUOTE

[1] https://www.postgresql.org/docs/current/sql-createview.html