Remove the row_security=force GUC value.
Every query of a single ENABLE ROW SECURITY table has two meanings, with
the row_security GUC selecting between them. With row_security=force
available, every function author would have been advised to either set
the GUC locally or test both meanings. Non-compliance would have
threatened reliability and, for SECURITY DEFINER functions, security.
Authors already face an obligation to account for search_path, and we
should not mimic that example. With this change, only BYPASSRLS roles
need exercise the aforementioned care. Back-patch to 9.5, where the
row_security GUC was introduced.
Since this narrows the domain of pg_db_role_setting.setconfig and
pg_proc.proconfig, one might bump catversion. A row_security=force
setting in one of those columns will elicit a clear message, so don't.
Branch
------
master
Details
-------
http://git.postgresql.org/pg/commitdiff/537bd178c73b1d25938347b17e9e3e62898fc231
Modified Files
--------------
doc/src/sgml/config.sgml | 13 +---
doc/src/sgml/ddl.sgml | 17 ++---
src/backend/utils/misc/guc.c | 39 +++-------
src/backend/utils/misc/rls.c | 29 +++-----
src/include/utils/plancache.h | 2 +-
src/include/utils/rls.h | 12 +---
src/test/regress/expected/rowsecurity.out | 111 +----------------------------
src/test/regress/sql/rowsecurity.sql | 52 +-------------
8 files changed, 34 insertions(+), 241 deletions(-)