diff options
| author | Noah Misch <noah@leadboat.com> | 2015-10-03 20:19:57 -0400 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2015-10-03 20:20:50 -0400 |
| commit | 01ba7894f3f72ea57d1cfdc4f40f6231bc6cd9cd (patch) | |
| tree | 8153ebad55cc49f2cb534ec4be5c2e8f96d3071c /src/test/regress | |
| parent | cfddb5df5a84923160b23890d6086bcbcd1fd655 (diff) | |
| download | postgresql-01ba7894f3f72ea57d1cfdc4f40f6231bc6cd9cd.tar.gz postgresql-01ba7894f3f72ea57d1cfdc4f40f6231bc6cd9cd.zip | |
Make BYPASSRLS behave like superuser RLS bypass.
Specifically, make its effect independent from the row_security GUC, and
make it affect permission checks pertinent to views the BYPASSRLS role
owns. The row_security GUC thereby ceases to change successful-query
behavior; it can only make a query fail with an error. Back-patch to
9.5, where BYPASSRLS was introduced.
Diffstat (limited to 'src/test/regress')
| -rw-r--r-- | src/test/regress/expected/rowsecurity.out | 14 | ||||
| -rw-r--r-- | src/test/regress/sql/rowsecurity.sql | 6 |
2 files changed, 10 insertions, 10 deletions
diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out index 0cde8fd0e3f..0363dfd07ff 100644 --- a/src/test/regress/expected/rowsecurity.out +++ b/src/test/regress/expected/rowsecurity.out @@ -2584,10 +2584,15 @@ COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok SET row_security TO ON; COPY (SELECT * FROM copy_t ORDER BY a ASC) TO STDOUT WITH DELIMITER ','; --ok 0,cfcd208495d565ef66e7dff9f98764da +1,c4ca4238a0b923820dcc509a6f75849b 2,c81e728d9d4c2f636f067f89cc14862c +3,eccbc87e4b5ce2fe28308fd9f2a7baf3 4,a87ff679a2f3e71d9181a67b7542122c +5,e4da3b7fbbce2345d7772b0674a318d5 6,1679091c5a880faf6fb5e6087eb1b2dc +7,8f14e45fceea167a5a36dedd4bea2543 8,c9f0f895fb98ab9159f51fd0297e236d +9,45c48cce2e2d7fbdea1afc51c7c6ad26 10,d3d9446802a44259755d38e6d163e820 -- Check COPY TO as user without permissions. SET row_security TO OFF; SET SESSION AUTHORIZATION rls_regress_user2; @@ -2627,6 +2632,7 @@ COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok 1,c4ca4238a0b923820dcc509a6f75849b SET row_security TO ON; COPY copy_rel_to TO STDOUT WITH DELIMITER ','; --ok +1,c4ca4238a0b923820dcc509a6f75849b -- Check COPY TO as user without permissions. SET row_security TO OFF; SET SESSION AUTHORIZATION rls_regress_user2; SET row_security TO OFF; @@ -2650,14 +2656,10 @@ SET row_security TO ON; COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS. ERROR: COPY FROM not supported with row level security. HINT: Use direct INSERT statements instead. --- Check COPY TO as user with permissions and BYPASSRLS +-- Check COPY FROM as user with permissions and BYPASSRLS SET SESSION AUTHORIZATION rls_regress_exempt_user; -SET row_security TO OFF; -COPY copy_t FROM STDIN; --ok SET row_security TO ON; -COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS. -ERROR: COPY FROM not supported with row level security. -HINT: Use direct INSERT statements instead. +COPY copy_t FROM STDIN; --ok -- Check COPY FROM as user without permissions. SET SESSION AUTHORIZATION rls_regress_user2; SET row_security TO OFF; diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql index 6ed0daf345f..7f8772fa26c 100644 --- a/src/test/regress/sql/rowsecurity.sql +++ b/src/test/regress/sql/rowsecurity.sql @@ -1070,17 +1070,15 @@ COPY copy_t FROM STDIN; --fail - insufficient privilege to bypass rls. SET row_security TO ON; COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS. --- Check COPY TO as user with permissions and BYPASSRLS +-- Check COPY FROM as user with permissions and BYPASSRLS SET SESSION AUTHORIZATION rls_regress_exempt_user; -SET row_security TO OFF; +SET row_security TO ON; COPY copy_t FROM STDIN; --ok 1 abc 2 bcd 3 cde 4 def \. -SET row_security TO ON; -COPY copy_t FROM STDIN; --fail - COPY FROM not supported by RLS. -- Check COPY FROM as user without permissions. SET SESSION AUTHORIZATION rls_regress_user2; |