diff options
| author | Noah Misch <noah@leadboat.com> | 2015-09-20 20:45:41 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2015-09-20 20:45:54 -0400 |
| commit | 6dae6edcd88cf3be06acf247c10de925bc065274 (patch) | |
| tree | 0f3cebd0d38a7d31cf29a145d51933b2ed5fa224 /src/include | |
| parent | 1be9d65e17abc6215a6faae9bc3f714dd3d040b6 (diff) | |
| download | postgresql-6dae6edcd88cf3be06acf247c10de925bc065274.tar.gz postgresql-6dae6edcd88cf3be06acf247c10de925bc065274.zip | |
Remove the row_security=force GUC value.
Every query of a single ENABLE ROW SECURITY table has two meanings, with
the row_security GUC selecting between them. With row_security=force
available, every function author would have been advised to either set
the GUC locally or test both meanings. Non-compliance would have
threatened reliability and, for SECURITY DEFINER functions, security.
Authors already face an obligation to account for search_path, and we
should not mimic that example. With this change, only BYPASSRLS roles
need exercise the aforementioned care. Back-patch to 9.5, where the
row_security GUC was introduced.
Since this narrows the domain of pg_db_role_setting.setconfig and
pg_proc.proconfig, one might bump catversion. A row_security=force
setting in one of those columns will elicit a clear message, so don't.
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/utils/plancache.h | 2 | ||||
| -rw-r--r-- | src/include/utils/rls.h | 12 |
2 files changed, 3 insertions, 11 deletions
diff --git a/src/include/utils/plancache.h b/src/include/utils/plancache.h index 90a018082f0..b683b070e35 100644 --- a/src/include/utils/plancache.h +++ b/src/include/utils/plancache.h @@ -110,7 +110,7 @@ typedef struct CachedPlanSource double total_custom_cost; /* total cost of custom plans so far */ int num_custom_plans; /* number of plans included in total */ bool hasRowSecurity; /* planned with row security? */ - int row_security_env; /* row security setting when planned */ + bool row_security_env; /* row security setting when planned */ bool rowSecurityDisabled; /* is row security disabled? */ } CachedPlanSource; diff --git a/src/include/utils/rls.h b/src/include/utils/rls.h index 3770ddc2163..3e75f06d6cf 100644 --- a/src/include/utils/rls.h +++ b/src/include/utils/rls.h @@ -14,15 +14,7 @@ #define RLS_H /* GUC variable */ -extern int row_security; - -/* Possible values for row_security GUC */ -typedef enum RowSecurityConfigType -{ - ROW_SECURITY_OFF, /* RLS never applied- error thrown if no priv */ - ROW_SECURITY_ON, /* normal case, RLS applied for regular users */ - ROW_SECURITY_FORCE /* RLS applied for superusers and table owners */ -} RowSecurityConfigType; +extern bool row_security; /* * Used by callers of check_enable_rls. @@ -30,7 +22,7 @@ typedef enum RowSecurityConfigType * RLS could be completely disabled on the tables involved in the query, * which is the simple case, or it may depend on the current environment * (the role which is running the query or the value of the row_security - * GUC- on, off, or force), or it might be simply enabled as usual. + * GUC), or it might be simply enabled as usual. * * If RLS isn't on the table involved then RLS_NONE is returned to indicate * that we don't need to worry about invalidating the query plan for RLS |