Обсуждение: Read only column ?
Is there a way to set a column to be read only?
I have a table with several columns with values that are determined by triggers. I want users to be able to view, but never edit them.
Thanks
"Gauthier, Dave" <dave.gauthier@intel.com> writes: > Is there a way to set a column to be read only? As of 8.4 you could revoke insert/update permissions column-by-column ... > I have a table with several columns with values that are determined by triggers. I want users to be able to view, butnever edit them. ... although, if you have triggers forcibly setting the columns, it hardly matters what the users try to put into them, no? regards, tom lane
>>.. although, if you have triggers forcibly setting the columns, it >>hardly matters what the users try to put into them, no? Ummmm..... Wellll.... I guess you have a point there :-) Still, it would be nicer for the DB to tell them "DON'T TOUCH THAT" as opposed to a trigger silently overriding whateverthey may have thought they changed. -----Original Message----- From: Tom Lane [mailto:tgl@sss.pgh.pa.us] Sent: Saturday, January 16, 2010 9:00 PM To: Gauthier, Dave Cc: pgsql-general@postgresql.org Subject: Re: [GENERAL] Read only column ? "Gauthier, Dave" <dave.gauthier@intel.com> writes: > Is there a way to set a column to be read only? As of 8.4 you could revoke insert/update permissions column-by-column ... > I have a table with several columns with values that are determined by triggers. I want users to be able to view, butnever edit them. ... although, if you have triggers forcibly setting the columns, it hardly matters what the users try to put into them, no? regards, tom lane
"Gauthier, Dave" <dave.gauthier@intel.com> writes: >> .. although, if you have triggers forcibly setting the columns, it >> hardly matters what the users try to put into them, no? > Ummmm..... Wellll.... I guess you have a point there :-) > Still, it would be nicer for the DB to tell them "DON'T TOUCH THAT" as opposed to a trigger silently overriding whateverthey may have thought they changed. Well, you could have the triggers throw errors instead of being silent about it. regards, tom lane
Tom Lane wrote: > Well, you could have the triggers throw errors instead of being silent > about it. > > otoh, do you really want trigger code checking for permissions? ugh.
Triggers,throw errors? I didn't know they could do that. Other than via "raise notice", how is this done? Could I capturesuch an error programatically (e.g. in perl/DBI)? -----Original Message----- From: Tom Lane [mailto:tgl@sss.pgh.pa.us] Sent: Saturday, January 16, 2010 9:12 PM To: Gauthier, Dave Cc: pgsql-general@postgresql.org Subject: Re: [GENERAL] Read only column ? "Gauthier, Dave" <dave.gauthier@intel.com> writes: >> .. although, if you have triggers forcibly setting the columns, it >> hardly matters what the users try to put into them, no? > Ummmm..... Wellll.... I guess you have a point there :-) > Still, it would be nicer for the DB to tell them "DON'T TOUCH THAT" as opposed to a trigger silently overriding whateverthey may have thought they changed. Well, you could have the triggers throw errors instead of being silent about it. regards, tom lane
>> otoh, do you really want trigger code checking for permissions? ugh. Not really. I'd rather this be cought before it made it that far. I'll have to read the 8.4 release notes ! -----Original Message----- From: John R Pierce [mailto:pierce@hogranch.com] Sent: Saturday, January 16, 2010 9:18 PM To: Tom Lane Cc: Gauthier, Dave; pgsql-general@postgresql.org Subject: Re: [GENERAL] Read only column ? Tom Lane wrote: > Well, you could have the triggers throw errors instead of being silent > about it. > > otoh, do you really want trigger code checking for permissions? ugh.
"Gauthier, Dave" <dave.gauthier@intel.com> writes: > Triggers,throw errors? I didn't know they could do that. Other than via "raise notice", how is this done? Could I capturesuch an error programatically (e.g. in perl/DBI)? RAISE can do more than just notices ... regards, tom lane
On 17/01/2010 10:18 AM, John R Pierce wrote: > Tom Lane wrote: >> Well, you could have the triggers throw errors instead of being silent >> about it. >> > > otoh, do you really want trigger code checking for permissions? ugh. Before column permissions, it was all you could do :-( I'm LOVING col permissions, especially now that I've got Hibernate playing properly with them. So much ugly, error-prone trigger code is gone. Having to test IS DISTINCT FROM or IS NOT NULL and RAISE NOTICE handling all the different cases of insert/update/delete wasn't pretty. One thing, though: Tom said that you can just revoke col permissions from the cols of interest. I suspect that how it was worded could be confusing to a reader not familiar with how the permissions work. You can't: GRANT SELECT, INSERT, UPDATE, DELETE ON sometable TO user; REVOKE SELECT, INSERT, UPDATE (protectedcol) ON sometable FROM user; since there's no column-level GRANT to REVOKE. Column-level REVOKE can't convert a table-level GRANT to a selective column-level GRANT. Instead, you must GRANT access to the list of columns the user *should* be allowed to modify. GRANT DELETE ON sometable TO user; GRANT SELECT, INSERT, UPDATE (col1, col2, col3) ON sometable TO user; The manual goes into this a bit. -- Craig Ringer