Skip to content
Snippets Groups Projects
Commit d845fd68 authored by Robert Haas's avatar Robert Haas
Browse files

sepgsql: Reword and fix typo in docs on DML permissions. 

Per report from Christoph Berg.
parent 388c2f93
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
doc/src/sgml/sepgsql.sgml
+ 18
25
View file @ d845fd68
...@@ -345,42 +345,35 @@ $ sudo semodule -r sepgsql-regtest ...@@ -345,42 +345,35 @@ $ sudo semodule -r sepgsql-regtest
<para> <para>
For tables, <literal>db_table:select</>, <literal>db_table:insert</>, For tables, <literal>db_table:select</>, <literal>db_table:insert</>,
<literal>db_table:update</> or <literal>db_table:delete</> is <literal>db_table:update</> or <literal>db_table:delete</> are
checked for all the referenced target tables depending on the kind of checked for all the referenced target tables depending on the kind of
statement; statement; in addition, <literal>db_table:select</> is also checked for
in addition, <literal>db_table:select</> is also checked for all the tables that contain columns referenced in the
all the tables that contain the columns referenced in the
<literal>WHERE</> or <literal>RETURNING</> clause, as a data source <literal>WHERE</> or <literal>RETURNING</> clause, as a data source
of <literal>UPDATE</>, and so on. For example, consider: for <literal>UPDATE</>, and so on.
<synopsis>
UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
</synopsis>
In this case we must have <literal>db_table:select</> in addition to
<literal>db_table:update</>, because <literal>t1.a</> is referenced
within the <literal>WHERE</> clause. Column-level permissions will also be
checked for each referenced column.
</para> </para>
<para> <para>
For columns, <literal>db_column:select</> is checked on Column-level permissions will also be checked for each referenced column.
not only the columns being read using <literal>SELECT</>, but those being <literal>db_column:select</> is checked on not only the columns being
referenced in other DML statements. read using <literal>SELECT</>, but those being referenced in other DML
Of course, it also checks <literal>db_column:update</> or statements; <literal>db_column:update</> or <literal>db_column:insert</>
<literal>db_column:insert</> on columns being modified by will also be checked for columns being modified by <literal>UPDATE</> or
<literal>UPDATE</> or <literal>INSERT</>. <literal>INSERT</>.
</para> </para>
<para> <para>
For example, consider:
<synopsis> <synopsis>
UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
</synopsis> </synopsis>
In this case, it checks <literal>db_column:update</> on the column
<literal>t1.x</> being updated, <literal>db_column:{select update}</> Here, <literal>db_column:update</> will be checked for
on the column <literal>t1.y</> being updated and referenced, and <literal>t1.x</>, since it is being updated,
<literal>db_column:select</> on the column <literal>t1.z</>, since that is <literal>db_column:{select update}</> will be checked for
only referenced in the <literal>WHERE</> clause. <literal>t1.y</>, since it is both updated and referenced, and
<literal>db_column:select</> will be checked for <literal>t1.z</>, since
it is only referenced.
<literal>db_table:{select update}</> will also be checked <literal>db_table:{select update}</> will also be checked
at the table level. at the table level.
</para> </para>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment