On 12/17/2016 02:04 PM, Stephen Frost wrote:
> Note that RLS won't be applied for the table owner either (unless the
> relation has 'FORCE RLS' enabled for it), so you don't have to have
> functions which are run as superuser to use the approach Joe
> recommended.
Good point, thanks, I should have mentioned that. You would be better
off having a different user own both the table and the function in order
to avoid using/abusing the superuser for that purpose. Just be aware
that FORCE RLS would break that solution.
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development