aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--doc/src/sgml/ddl.sgml42
1 files changed, 33 insertions, 9 deletions
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index c25b15f636b..2bc43f9d107 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -1621,10 +1621,21 @@ CREATE POLICY account_managers ON accounts TO managers
</programlisting>
<para>
+ The policy above implicitly provides a <literal>WITH CHECK</literal>
+ clause identical to its <literal>USING</literal> clause, so that the
+ constraint applies both to rows selected by a command (so a manager
+ cannot <command>SELECT</command>, <command>UPDATE</command>,
+ or <command>DELETE</command> existing rows belonging to a different
+ manager) and to rows modified by a command (so rows belonging to a
+ different manager cannot be created via <command>INSERT</command>
+ or <command>UPDATE</command>).
+ </para>
+
+ <para>
If no role is specified, or the special user name
<literal>PUBLIC</literal> is used, then the policy applies to all
- users on the system. To allow all users to access their own row in
- a <literal>users</> table, a simple policy can be used:
+ users on the system. To allow all users to access only their own row in
+ a <literal>users</literal> table, a simple policy can be used:
</para>
<programlisting>
@@ -1633,20 +1644,33 @@ CREATE POLICY user_policy ON users
</programlisting>
<para>
+ This works similarly to the previous example.
+ </para>
+
+ <para>
To use a different policy for rows that are being added to the table
- compared to those rows that are visible, the <literal>WITH CHECK</>
- clause can be used. This policy would allow all users to view all rows
- in the <literal>users</> table, but only modify their own:
+ compared to those rows that are visible, multiple policies can be
+ combined. This pair of policies would allow all users to view all rows
+ in the <literal>users</literal> table, but only modify their own:
</para>
<programlisting>
-CREATE POLICY user_policy ON users
- USING (true)
- WITH CHECK (user_name = current_user);
+CREATE POLICY user_sel_policy ON users
+ FOR SELECT
+ USING (true);
+CREATE POLICY user_mod_policy ON users
+ USING (user_name = current_user);
</programlisting>
<para>
- Row security can also be disabled with the <command>ALTER TABLE</>
+ In a <command>SELECT</command> command, these two policies are combined
+ using <literal>OR</literal>, with the net effect being that all rows
+ can be selected. In other command types, only the second policy applies,
+ so that the effects are the same as before.
+ </para>
+
+ <para>
+ Row security can also be disabled with the <command>ALTER TABLE</command>
command. Disabling row security does not remove any policies that are
defined on the table; they are simply ignored. Then all rows in the
table are visible and modifiable, subject to the standard SQL privileges
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-28 04:10:09 +0000