Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uhVTe-000jIH-4L
	for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 15:45:54 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uhVTd-0021Lr-3w
	for pgsql-general@arkaria.postgresql.org; Thu, 31 Jul 2025 15:45:53 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1uhVTc-0021Lj-7c
	for pgsql-general@lists.postgresql.org; Thu, 31 Jul 2025 15:45:52 +0000
Received: from fhigh-b1-smtp.messagingengine.com ([202.12.124.152])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1uhVTY-0002qx-33
	for pgsql-general@lists.postgresql.org;
	Thu, 31 Jul 2025 15:45:51 +0000
Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42])
	by mailfhigh.stl.internal (Postfix) with ESMTP id CBCED7A23B4;
	Thu, 31 Jul 2025 11:45:47 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-02.internal (MEProxy); Thu, 31 Jul 2025 11:45:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1753976747;
	 x=1754063147; bh=Ib26M4bcBg1X2/6dN9OAgxBFpel/mXkwOb2ouJaKdf4=; b=
	N3qH9P6ASHfgbbgelSYYb2IZB2kz+yqWuQ6NDhIybOy2F/VAUq4uVEqCoV5fSkdv
	ozf9QPy1ikfNJ1RNahDqHlu7vt3fA1CqN2jurPN4HtrP/wMl7M98uEcxWh3UEhbQ
	bJSQlxKY0G+5/Sv0CAZ4c/2EONMftHsrN6U9z1LekJcox8tlGKnqaIxs2B59td9P
	c1qilcfFxaDz83r60Ok2iKJtyESZPgrxMr17PXC9hVVLtHQ+4iXsimfh2WyawZQU
	6ug5KepSaZ6WP0hisPBouck6Cm3p8kdYMVZ4K+e28Y1RcgY4oMwzh81l4FsF5JCv
	oe8WzrqBWpH9B7MR3TPh3Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1753976747; x=
	1754063147; bh=Ib26M4bcBg1X2/6dN9OAgxBFpel/mXkwOb2ouJaKdf4=; b=I
	gLKBdyRthQ9+ReC53nxMpeLcN55/rNpK+Sw+bzZZk1X9jyLaDUIKWLS7VfukGgNL
	9nc31urt46yNZTTYmCB1hd0lSbUQBDAS5v7KNTu3oczTJfxcs01hDM4XrIkGkXGs
	8ELbOQVUHrmT1SpcsKKHwtD3ixqnDm2AMDS+emQr/gS1DyObNm58x2+rQZCWen+B
	vjMOta7pB/Au4cNzWAhEmNCrGaZQwrHhSPCrsy3CDstJtbF5yfqiI6j1vPLtLFxi
	NMs38p62CRpWu+wU7GgPR4pe/Uy6Uep1UhZDd2Vzyqw/41eTuXNmZqBUCOAOiAlN
	ApJk2+07HZARmO9tlhs0w==
X-ME-Sender: <xms:q4-LaMv4C98qrlOWYh-dqs0ssBolXOpDYQ5CLT8GlFWFFCy9h8waOw>
    <xme:q4-LaEBerYzVYBfDtH_eQmcNOQ4j5e1av65DbpHo-qUHswB9_fvQyVr-90Zw8w5HA
    eg2GEfFRk81UPk>
X-ME-Received: <xmr:q4-LaEWvnuSJCIfl7mqvvtnARg-Bo4OeyM79IdYD-gLMhN7MQTq4ewPWsSsD16lUykc1CDoiSN03Ung5tfUH7QBe18l6lg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddutdduvdduucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhepkfffgggfuffvvehfhfgjtgfgsehtjeertddtvdejnecuhfhrohhmpeetughrihgr
    nhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomh
    eqnecuggftrfgrthhtvghrnheptdfhieeiudefgeduvdeghefhfeegjeegffduheejhfeg
    iefhffehteeihfdvteeunecuffhomhgrihhnpegtmhhurdgvughunecuvehluhhsthgvrh
    fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghnrdhklhgrvhgv
    rhesrghklhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepgedpmhhouggvpehsmhhtph
    houhhtpdhrtghpthhtohepuggrvhhiugdrghdrjhhohhhnshhtohhnsehgmhgrihhlrdgt
    ohhmpdhrtghpthhtohepugguvghvihgvnhhnvgesghhmrghilhdrtghomhdprhgtphhtth
    hopehguhhilhhlrghumhgvrdhlvghlrghrghgvsegurghlihgsohdrtghomhdprhgtphht
    thhopehpghhsqhhlqdhgvghnvghrrghlsehlihhsthhsrdhpohhsthhgrhgvshhqlhdroh
    hrgh
X-ME-Proxy: <xmx:q4-LaCDU5f-PE5M8gt36zJ7f2x2nJVr9BqkQVfqAMSNd4DpSfrfXZQ>
    <xmx:q4-LaH9fhg3Ck2D_Exm8CI5-_9K_Kmg4BO-ARqqaKo51whmLwC9gnQ>
    <xmx:q4-LaJHWAS-3sphC5GAaUVi1GLl6ik4exiKEAt5ZkjQfqfAxctOUyA>
    <xmx:q4-LaFOIZ1ENP0CepI3FEz4F-vFeWcTMtKH-d6ejRJl4MQBH072FYg>
    <xmx:q4-LaPESWZfAv1aqSYJOi2Isea0nyphHQmVU7JQtEOq9njy7W-Z0HP3g>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 31 Jul 2025 11:45:46 -0400 (EDT)
Message-ID: <ff87bba0-9b9b-4dac-9f47-d2eefef42378@aklaver.com>
Date: Thu, 31 Jul 2025 08:45:46 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: SET LOCAL ROLE inside SECURITY INVOKER (LANGUAGE plpgsql)
 function
To: "David G. Johnston" <david.g.johnston@gmail.com>
Cc: Dominique Devienne <ddevienne@gmail.com>,
 Guillaume Lelarge <guillaume.lelarge@dalibo.com>,
 "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
References: <CAFCRh--AXoYUj8-WDuWpUcWXC0UNAL9gjbTp=1hU-NJhRyR0vQ@mail.gmail.com>
 <fa68fc72-e109-452e-8642-2b99c613f870@aklaver.com>
 <CAFCRh-9AzsOBd6cPFsgmbw=Mf3nN5tHj9YYQQHZG0XqxDSMK=Q@mail.gmail.com>
 <508f71c4-f1b1-4685-921d-bec8b361be10@aklaver.com>
 <662792ed-810d-46f1-a0c3-d4b55e5469fc@aklaver.com>
 <CAFCRh-8D+R=xufTFYN8SDDeEVwDNCb7kcspt9hsRW2T-QOMoKg@mail.gmail.com>
 <693d1252-89e4-498d-a5a6-5de6524bbb34@dalibo.com>
 <CAFCRh--tSWRRCMvtSovtRDX1wce5KCOutaDRBD5JKWb9atLC_w@mail.gmail.com>
 <bc2b9760-3597-477a-b199-633ba3ac36e5@aklaver.com>
 <CAKFQuwap0B96VNsVJVbyP3h1FPAGz0f=SOi_Gcf9PBM1id2HFg@mail.gmail.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <CAKFQuwap0B96VNsVJVbyP3h1FPAGz0f=SOi_Gcf9PBM1id2HFg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/ff87bba0-9b9b-4dac-9f47-d2eefef42378%40aklaver.com>
Precedence: bulk

On 7/31/25 08:06, David G. Johnston wrote:
> On Thursday, July 31, 2025, Adrian Klaver <adrian.klaver@aklaver.com 
> <mailto:adrian.klaver@aklaver.com>> wrote:

>     So the below from the original post was not correct:
> 
>     "My setup ensures that the role I SET LOCAL ROLE to, has (indirectly)
>     been granted DMLs on that table."
> 
> 
> Not incorrect, just insufficient since select is not a DML action.

1) Seems to be some difference on that:

https://www.contrib.andrew.cmu.edu/~shadow/sql/sql1992.txt

13  Data manipulation

13.5  <select statement: single row>

Function

          Retrieve values from a specified row of a table.

2) What if you do SELECT some_data_mod_fnc()?

3) In the case at hand there was an implied SELECT as part of the DELETE.

> 
> David J.
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com