diff options
| author | Stephen Frost <sfrost@snowman.net> | 2015-09-15 15:49:40 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2015-09-15 15:49:40 -0400 |
| commit | 23a4b897f731e1a2be7fe989a34016d7a6287148 (patch) | |
| tree | 0fadf580ab43634f6e9498dd54687e860eb01fa4 /src/backend/executor | |
| parent | ed301d6dbe32eaad4f226903d430336e5a0d72aa (diff) | |
| download | postgresql-23a4b897f731e1a2be7fe989a34016d7a6287148.tar.gz postgresql-23a4b897f731e1a2be7fe989a34016d7a6287148.zip | |
RLS refactoring
This refactors rewrite/rowsecurity.c to simplify the handling of the
default deny case (reducing the number of places where we check for and
add the default deny policy from three to one) by splitting up the
retrival of the policies from the application of them.
This also allowed us to do away with the policy_id field. A policy_name
field was added for WithCheckOption policies and is used in error
reporting, when available.
Patch by Dean Rasheed, with various mostly cosmetic changes by me.
Back-patch to 9.5 where RLS was introduced to avoid unnecessary
differences, since we're still in alpha, per discussion with Robert.
Diffstat (limited to 'src/backend/executor')
| -rw-r--r-- | src/backend/executor/execMain.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/backend/executor/execMain.c b/src/backend/executor/execMain.c index 2c65a901d94..c28eb2bca36 100644 --- a/src/backend/executor/execMain.c +++ b/src/backend/executor/execMain.c @@ -1815,14 +1815,26 @@ ExecWithCheckOptions(WCOKind kind, ResultRelInfo *resultRelInfo, break; case WCO_RLS_INSERT_CHECK: case WCO_RLS_UPDATE_CHECK: - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + if (wco->polname != NULL) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("new row violates row level security policy \"%s\" for \"%s\"", + wco->polname, wco->relname))); + else + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("new row violates row level security policy for \"%s\"", wco->relname))); break; case WCO_RLS_CONFLICT_CHECK: - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + if (wco->polname != NULL) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("new row violates row level security policy \"%s\" (USING expression) for \"%s\"", + wco->polname, wco->relname))); + else + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), errmsg("new row violates row level security policy (USING expression) for \"%s\"", wco->relname))); break; |