public inbox for [email protected]
help / color / mirror / Atom feedFrom: Karsten Hilbert <[email protected]>
To: [email protected]
Subject: Q on SELECT column list pushdown from view to table
Date: Tue, 25 Mar 2025 23:21:15 +0100
Message-ID: <[email protected]> (raw)
Dear all,
given this schema and role:
create table t_partially_private (
public_col text,
private_col text
);
insert into t_partially_private (public_col, private_col) values ('public value', 'private value');
create view v_partially_private as
select
public_col,
private_col
from
t_partially_private
;
alter view v_partially_private set (security_invoker = TRUE);
create role "restricted-role";
grant select (public_col) on t_partially_private to "restricted-role";
grant select (public_col) on v_partially_private to "restricted-role";
I expected this:
set role "restricted-role";
-- this works:
select public_col from t_partially_private;
-- this fails: with "permission denied on table t_partially_private"
select public_col from v_partially_private;
to work but selecting from the view fails. I would assume
the reason is that the SELECT column list does not narrow
down what the view tries to (sub)select from the table.
If so, is there a reason I don't yet see why this is so ?
What would be the proper way to achieve the above short of
using another view dedicated to the restricted column (in
real life, the views are way more involved, as usual ...).
Thanks,
Karsten
--
GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Q on SELECT column list pushdown from view to table
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox