Re: Insert..returning (was Re: Re: postgres TODO)
| От | Tom Lane |
|---|---|
| Тема | Re: Insert..returning (was Re: Re: postgres TODO) |
| Дата | |
| Msg-id | 23124.963420431@sss.pgh.pa.us обсуждение |
| Ответ на | Re: Insert..returning (was Re: Re: postgres TODO) (Philip Warner <pjw@rhyme.com.au>) |
| Ответы |
Re: Insert..returning (was Re: Re: postgres TODO)
|
| Список | pgsql-hackers |
Philip Warner <pjw@rhyme.com.au> writes:
>> I think the thing he has in mind is the situation where one has insert
>> perms but not select.
Exactly --- and that's a perfectly reasonable setup in some cases (think
blind mailbox). INSERT ... RETURNING should require both insert and
select privileges IMHO.
> I would be inclined to follow the perms; is there a problem with that? You
> should not let them read the row they inserted since it *may* contain
> sensitive (automatically generated) data - the DBA must have had a reason
> for preventing SELECT.
It would be a pretty stupid app that would be using INSERT ... RETURNING
to obtain the data that it itself is supplying. The only reason I can
see for the feature is to get hold of automatically-generated column
values. Thus, obeying select permissions is relevant.
regards, tom lane
В списке pgsql-hackers по дате отправления: