* KaiGai Kohei (kaigai@ak.jp.nec.com) wrote:
> If rte->requiredPerms would not be cleared, the user of the hook will
> be able to check access rights on the child tables, as they like.
This would only be the case for those children which are being touched
in the current query, which would depend on what conditionals are
applied, what the current setting of check_constraints is, and possibly
other factors. I do *not* like this approach.
> How about an idea to add a new flag in RangeTblEntry which shows where
> the RangeTblEntry came from, instead of clearing requiredPerms?
> If the flag is true, I think ExecCheckRTEPerms() can simply skip checks
> on the child tables.
How about the external module just checks if the current object being
queried has parents, and if so, goes and checks the
labels/permissions/etc on those children? That way the query either
always fails or never fails for a given caller, rather than sometimes
working and sometimes not depending on the query.
Thanks,
Stephen