Re: can we mark upper/lower/textlike functions leakproof?

On 8/2/24 11:07, Tom Lane wrote:
> Joe Conway <mail@joeconway.com> writes:
>> <dons flameproof suit>
>> Hmmm, and then have "leakproof_mode" = strict/lax/off where 'strict' is 
>> current behavior, 'lax' allows the 'maybe's to get pushed down, and 
>> 'off' ignores the leakproof attribute entirely and pushes down anything 
>> that merits being pushed?
>> </dons flameproof suit>
> 
> So in other words, we might as well just remove RLS.

Perhaps deciding where to draw the line for 'maybe' is too hard, but I 
don't understand how you can say that in a general sense.

'strict' mode would provide the same guarantees as today. And even 'off' 
has utility for cases where (1) no logins are allowed except for the app 
(which is quite common in production environments) and no database 
errors are propagated to the end client (again pretty standard best 
practice); or (2) non-production environments, e.g. for testing or 
debugging; or (3) use cases that utilize RLS as a notationally 
convenient filtering mechanism and are not bothered by some leakage in 
the worst case.

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com