From 4988d7e96953ac858563e225079b6992810aab22 Mon Sep 17 00:00:00 2001 From: Fujii Masao Date: Fri, 7 Feb 2020 00:33:11 +0900 Subject: [PATCH] Add note about access permission checks by inherited TRUNCATE and LOCK TABLE. Inherited queries perform access permission checks on the parent table only. But there are two exceptions to this rule in v12 or before; TRUNCATE and LOCK TABLE commands through a parent table check the permissions on not only the parent table but also the children tables. Previously these exceptions were not documented. This commit adds the note about these exceptions, into the document. Back-patch to v9.4. But we don't apply this commit to the master because commit e6f1e560e4 already got rid of the exception about inherited TRUNCATE and upcoming commit will do for the exception about inherited LOCK TABLE. Author: Amit Langote Reviewed-by: Fujii Masao Discussion: https://postgr.es/m/CA+HiwqHfTnMU6SUkyHxCmpHUKk7ERLHCR3vZVq19ZOQBjPBLmQ@mail.gmail.com --- doc/src/sgml/ddl.sgml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml index d88651df9e..7550d03f27 100644 --- a/doc/src/sgml/ddl.sgml +++ b/doc/src/sgml/ddl.sgml @@ -3384,7 +3384,15 @@ VALUES ('Albany', NULL, NULL, 'NY'); accessed through cities. This preserves the appearance that the data is (also) in the parent table. But the capitals table could not be updated directly - without an additional grant. In a similar way, the parent table's row + without an additional grant. Two exceptions to this rule are + TRUNCATE and LOCK TABLE, + where permissions on the child tables are always checked, + whether they are processed directly or recursively via those commands + performed on the parent table. + + + + In a similar way, the parent table's row security policies (see ) are applied to rows coming from child tables during an inherited query. A child table's policies, if any, are applied only when it is the table explicitly named