diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2016-11-10 16:16:33 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2016-11-10 16:16:33 -0500 |
| commit | 24aef33804be5d7d71bc3932ced3407fce71e354 (patch) | |
| tree | c2e77995c997577d73bf45c7ef99e00e7de47d4a /src/include | |
| parent | 530f8065243b185e56c70ab317a9b40964b4ad00 (diff) | |
Cleanup of rewriter and planner handling of Query.hasRowSecurity flag.
Be sure to pull up the subquery's hasRowSecurity flag when flattening a
subquery in pull_up_simple_subquery(). This isn't a bug today because
we don't look at the hasRowSecurity flag during planning, but it could
easily be a bug tomorrow.
Likewise, make rewriteRuleAction() pull up the hasRowSecurity flag when
absorbing RTEs from a rule action. This isn't a bug either, for the
opposite reason: the flag should never be set yet. But again, it seems
like good future proofing.
Add a comment explaining why rewriteTargetView() should *not* set
hasRowSecurity when adding stuff to securityQuals.
Improve some nearby comments about securityQuals processing, and document
that field more completely in parsenodes.h.
Patch by me, analysis by Dean Rasheed.
Discussion: <CAEZATCXZ8tb2DV6f=bkhsMV6u_gRcZ0CZBw2J-qU84RxSukZog@mail.gmail.com>
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/nodes/parsenodes.h | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h index 9b600a5f76d..04b1c2f2d43 100644 --- a/src/include/nodes/parsenodes.h +++ b/src/include/nodes/parsenodes.h @@ -775,6 +775,13 @@ typedef struct XmlSerialize * FirstLowInvalidHeapAttributeNumber from column numbers before storing * them in these fields. A whole-row Var reference is represented by * setting the bit for InvalidAttrNumber. + * + * securityQuals is a list of security barrier quals (boolean expressions), + * to be tested in the listed order before returning a row from the + * relation. It is always NIL in parser output. Entries are added by the + * rewriter to implement security-barrier views and/or row-level security. + * Note that the planner turns each boolean expression into an implicitly + * AND'ed sublist, as is its usual habit with qualification expressions. *-------------------- */ typedef enum RTEKind @@ -872,7 +879,7 @@ typedef struct RangeTblEntry Bitmapset *selectedCols; /* columns needing SELECT permission */ Bitmapset *insertedCols; /* columns needing INSERT permission */ Bitmapset *updatedCols; /* columns needing UPDATE permission */ - List *securityQuals; /* any security barrier quals to apply */ + List *securityQuals; /* security barrier quals to apply, if any */ } RangeTblEntry; /* |