On 30 January 2015 at 03:40, Stephen Frost <sfr...@snowman.net> wrote: > * Robert Haas (robertmh...@gmail.com) wrote: >> On Thu, Jan 29, 2015 at 9:04 PM, Stephen Frost <sfr...@snowman.net> wrote: >> > A policy grants the ability to SELECT, INSERT, UPDATE, or DELETE rows >> > which match the relevant policy expression. Existing table rows are >> > checked against the expression specified via USING, while new rows >> > that would be created via INSERT or UPDATE are checked against the >> > expression specified via WITH CHECK. When a USING expression returns >> > false for a given row, that row is not visible to the user. When a WITH >> > CHECK expression returns false for a row which is to be added, an error >> > occurs. >> >> Yeah, that's not bad. I think it's an improvement, in fact. >
Yes I like that too. My main concern was that we should be describing policies in terms of permitting access to the table, not limiting access, because of the default-deny policy, and this new text clears that up. One additional quibble -- it's misleading to say "expression returns false" here (and later in the check_expression parameter description) because if the expression returns null, that's also a failure. So it ought to be "false or null", but perhaps it could just be described in terms of rows matching the expression, with a separate note to say that a row only matches a policy expression if that expression returns true, not false or null. Regards, Dean -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
