Remove the SECURITY_ROW_LEVEL_DISABLED security context bit.

This commit's parent made superfluous the bit's sole usage.  Referential
integrity checks have long run as the subject table's owner, and that
now implies RLS bypass.  Safe use of the bit was tricky, requiring
strict control over the SQL expressions evaluating therein.  Back-patch
to 9.5, where the bit was introduced.

Based on a patch by Stephen Frost.

1 files changed, 1 insertions, 16 deletions

diff --git a/src/backend/utils/adt/ri_triggers.c b/src/backend/utils/adt/ri_triggers.c
index 61edde9c5d3..fc1c77f072f 100644
--- a/src/backend/utils/adt/ri_triggers.c
+++ b/src/backend/utils/adt/ri_triggers.c
@@ -2970,7 +2970,6 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes,
 	Relation	query_rel;
 	Oid			save_userid;
 	int			save_sec_context;
-	int			temp_sec_context;
 
 	/*
 	 * Use the query type code to determine whether the query is run against
@@ -2983,22 +2982,8 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes,
 
 	/* Switch to proper UID to perform check as */
 	GetUserIdAndSecContext(&save_userid, &save_sec_context);
-
-	/*
-	 * Row-level security should be disabled in the case where a foreign-key
-	 * relation is queried to check existence of tuples that references the
-	 * primary-key being modified.
-	 */
-	temp_sec_context = save_sec_context | SECURITY_LOCAL_USERID_CHANGE;
-	if (qkey->constr_queryno == RI_PLAN_CHECK_LOOKUPPK
-		|| qkey->constr_queryno == RI_PLAN_CHECK_LOOKUPPK_FROM_PK
-		|| qkey->constr_queryno == RI_PLAN_RESTRICT_DEL_CHECKREF
-		|| qkey->constr_queryno == RI_PLAN_RESTRICT_UPD_CHECKREF)
-		temp_sec_context |= SECURITY_ROW_LEVEL_DISABLED;
-
-
 	SetUserIdAndSecContext(RelationGetForm(query_rel)->relowner,
-						   temp_sec_context);
+						   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
 
 	/* Create the plan */
 	qplan = SPI_prepare(querystr, nargs, argtypes);