The following bug has been logged on the website:
Bug reference: 15708
Logged by: Daurnimator
Email address: quae@daurnimator.com
PostgreSQL version: 11.2
Operating system: linux
Description:
(from https://gist.github.com/daurnimator/b1d2c16359e346a466b3093ae2757acf
)
This fails, seemingly because the RLS on 'bar' is being checked by alice,
instead of the view owner bob:
```sql
create role alice;
create table bar(a integer);
alter table bar enable row level security;
create table qux(b integer);
create role bob;
create policy blahblah on bar to bob
using(exists(select 1 from qux));
grant select on table bar to bob;
grant select on table qux to bob;
create view foo as select * from bar;
alter view foo owner to bob;
grant select on table foo to alice;
-- grant select on table qux to alice; -- shouldn't be required
set role alice;
select * from foo;
```
```
$ psql -f rls_trouble.sql
CREATE ROLE
CREATE TABLE
ALTER TABLE
CREATE TABLE
CREATE ROLE
CREATE POLICY
GRANT
GRANT
CREATE VIEW
ALTER VIEW
GRANT
SET
psql:rls_trouble.sql:18: ERROR: permission denied for table qux
```
If we add an indirection via another view, then I get the result I
expected...
```sql
create role alice;
create table bar(a integer);
alter table bar enable row level security;
create table qux(b integer);
-- if we add a layer of indirection it works.... wat?
create view indirection as select * from bar;
create role bob;
create policy blahblah on bar to bob
using(exists(select 1 from qux));
grant select on table bar to bob;
grant select on table indirection to bob;
grant select on table qux to bob;
create view foo as select * from indirection;
alter view foo owner to bob;
grant select on table foo to alice;
set role alice;
select * from foo;
```