=?utf-8?B?0J7Qu9C10LMg0KHQsNC80L7QudC70L7Qsg==?= <splarv@ya.ru> writes:
> PostgreSQL 10 (in 11 the same
> https://www.postgresql.org/docs/10/static/ddl-rowsecurity.html
> cite
> To use a different policy for rows that are being added to the table
> compared to those rows that are visible, the WITH CHECK clause can be used.
> This policy would allow all users to view all rows in the users table, but
> only modify their own:
> CREATE POLICY user_policy ON users
> USING (true)
> WITH CHECK (user_name = current_user);
> end cite
> This is is wrong description. Every one can steal other row with such
> policy.
Yup, you're right, this is too simple.
> The right statement to not allow modify rows by other user will be
> CREATE POLICY user_policy ON users
> USING (user_name = current_user)
> WITH CHECK (user_name = current_user);
Well, that also hides the other users' rows, which is not what the
example claims to do. To make it work as documented, we need something
like
CREATE POLICY user_sel_policy ON users
FOR SELECT
USING (true);
CREATE POLICY user_mod_policy ON users
USING (user_name = current_user);
I've pushed a patch along that line. Thanks for the report!
regards, tom lane