Use appropriate command type when retrieving relation's policies.

When retrieving policies, if not working on the root target relation,
we actually want the relation's SELECT policies, regardless of
the top level query command type. For example in UPDATE t1...FROM t2
we need to apply t1's UPDATE policies and t2's SELECT policies.
Previously top level query command type was applied to all relations,
which was wrong. Add some regression coverage to ensure we don't
violate this principle in the future.

Report and patch by Dean Rasheed. Cherry picked from larger refactoring
patch and tweaked by me. Back-patched to 9.5 where RLS was introduced.

1 files changed, 11 insertions, 1 deletions

diff --git a/src/backend/rewrite/rowsecurity.c b/src/backend/rewrite/rowsecurity.c
index 2386cf016fb..562dbc90e9f 100644
--- a/src/backend/rewrite/rowsecurity.c
+++ b/src/backend/rewrite/rowsecurity.c
@@ -147,8 +147,18 @@ get_row_security_policies(Query *root, CmdType commandType, RangeTblEntry *rte,
 		return;
 	}
 
-	/* Grab the built-in policies which should be applied to this relation. */
+	/*
+	 * RLS is enabled for this relation.
+	 *
+	 * Get the security policies that should be applied, based on the command
+	 * type.  Note that if this isn't the target relation, we actually want
+	 * the relation's SELECT policies, regardless of the query command type,
+	 * for example in UPDATE t1 ... FROM t2 we need to apply t1's UPDATE
+	 * policies and t2's SELECT policies.
+	 */
 	rel = heap_open(rte->relid, NoLock);
+	if (rt_index != root->resultRelation)
+		commandType = CMD_SELECT;
 
 	rowsec_policies = pull_row_security_policies(commandType, rel,
 												 user_id);