aboutsummaryrefslogtreecommitdiff
path: root/src/backend/commands/copy.c
diff options
context:
space:
mode:
authorTom Lane <tgl@sss.pgh.pa.us>2023-03-10 13:52:28 -0500
committerTom Lane <tgl@sss.pgh.pa.us>2023-03-10 13:52:28 -0500
commit53a53ea332131b3d29d8d69e1dc2823f4d6ff21a (patch)
tree2667de68eec9846a477c7fc16ffe05bf27add910 /src/backend/commands/copy.c
parentd811d74be353283a3c8282b46a0a6e75e89de5f9 (diff)
downloadpostgresql-53a53ea332131b3d29d8d69e1dc2823f4d6ff21a.tar.gz
postgresql-53a53ea332131b3d29d8d69e1dc2823f4d6ff21a.zip
Ensure COPY TO on an RLS-enabled table copies no more than it should.
The COPY documentation is quite clear that "COPY relation TO" copies rows from only the named table, not any inheritance children it may have. However, if you enabled row-level security on the table then this stopped being true, because the code forgot to apply the ONLY modifier in the "SELECT ... FROM relation" query that it constructs in order to allow RLS predicates to be attached. Fix that. Report and patch by Antonin Houska (comment adjustments and test case by me). Back-patch to all supported branches. Discussion: https://postgr.es/m/3472.1675251957@antos
Diffstat (limited to 'src/backend/commands/copy.c')
-rw-r--r--src/backend/commands/copy.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/backend/commands/copy.c b/src/backend/commands/copy.c
index 8265b981ebd..e4dee3f11ff 100644
--- a/src/backend/commands/copy.c
+++ b/src/backend/commands/copy.c
@@ -244,11 +244,14 @@ DoCopy(ParseState *pstate, const CopyStmt *stmt,
/*
* Build RangeVar for from clause, fully qualified based on the
- * relation which we have opened and locked.
+ * relation which we have opened and locked. Use "ONLY" so that
+ * COPY retrieves rows from only the target table not any
+ * inheritance children, the same as when RLS doesn't apply.
*/
from = makeRangeVar(get_namespace_name(RelationGetNamespace(rel)),
pstrdup(RelationGetRelationName(rel)),
-1);
+ from->inh = false; /* apply ONLY */
/* Build query */
select = makeNode(SelectStmt);