* Also, allow extensions to add their own policies. * * Note that, as with the internal policies, if multiple policies are * returned then they will be combined into a single expression with * all of them OR'd together. However, to avoid the situation of an * extension granting more access to a table than the internal policies * would allow, the extension's policies are AND'd with the internal * policies. In other words - extensions can only provide further * filtering of the result set (or further reduce the set of records * allowed to be added).
which seems reasonable, and means that if there are both internal and external policies, an "allow all" external policy would be a no-op.
Great, I'm glad to see that they're ANDed now.
I wasn't caught up with the current state of this. At some earlier point policies from hooks were being ORed, which made mandatory access control extensions impossible.
(I need to finish reading threads before replying).