Robert Haas wrote: > On Wed, Sep 23, 2015 at 2:39 PM, Stephen Frost <sfr...@snowman.net> wrote: > > * Robert Haas (robertmh...@gmail.com) wrote: > >> On Wed, Sep 23, 2015 at 12:01 PM, Stephen Frost <sfr...@snowman.net> wrote: > >> > * Robert Haas (robertmh...@gmail.com) wrote: > >> >> My expectation would have been: > >> >> > >> >> If you specify USING, you can see only those rows, but you can give > >> >> rows away freely. If you don't want to allow giving rows away under > >> >> any circumstances, then specify the same expression for USING and WITH > >> >> CHECK. > >> > > >> > Having an implicit 'true' for WITH CHECK would be very much against what > >> > I would ever expect. If anything, I'd think we would have an implicit > >> > 'false' there or simply not allow it to ever be unspecified. > >> > >> Huh? If you had an implicit false, wouldn't that prevent updating or > >> deleting any rows at all? > > > > Right, just the same as how, if RLS is enabled and no explicit policies > > are provided, non-owners can't see the rows or insert/update/delete > > anything in the table. The same is true for the GRANT system, where > > there are no permissions granted by default. I view the lack of an > > explicit definition of a WITH CHECK clause to be the same, excepting the > > simple case where it's the same as USING. > > Hmm, interesting. I guess that's a defensible position, but I still > think that having them default to be the same thing implicitly is > kinda weird. I'll defer to whatever the consensus, is, though.
I think an explicit statement of a "true" as WITH CHECK makes more sense -- I think Stephen suggested it upthread as making the WITH CHECK be mandatory. If you really want to allow rows to be "given away" (which could be a security issue), a "WITH CHECK (true)" is easy enough to specify. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
