On Tue, Oct 5, 2010 at 3:42 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Right, *column* filtering seems easy and entirely secure. The angst
> here is about row filtering. Can we have a view in which users can see
> the values of a column for some rows, with perfect security that they
> can't identify values for the hidden rows? The stronger form is that
> they shouldn't even be able to tell that hidden rows exist, which is
> something your view doesn't try to do; but there are at least some
> applications where that would be desirable.
I took a crack at documenting the current behavior; see attached. It
turns out that a view which only uses boolean operators in the WHERE
clause is not obviously subvertable, because we judge those operations
to have no cost. (It seems unwise to rely on this for security,
though.) Anything more complicated - that does row filtering - is
easily hacked. See within for details.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company