sharpetronics/PostgreSQL
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-25 00:04:05 -04:00
Code Issues Projects Releases Wiki Activity

sepgsql: Reword and fix typo in docs on DML permissions.

Browse Source 
Per report from Christoph Berg.
This commit is contained in:
Robert Haas 2012-02-15 09:57:56 -05:00
parent 388c2f9325
commit d845fd684a
1 changed files with 22 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
doc/src/sgml/sepgsql.sgml
View File

@ -345,42 +345,35 @@ $ sudo semodule -r sepgsql-regtest
<para> <para>
For tables, <literal>db_table:select</>, <literal>db_table:insert</>, For tables, <literal>db_table:select</>, <literal>db_table:insert</>,
<literal>db_table:update</> or <literal>db_table:delete</> is <literal>db_table:update</> or <literal>db_table:delete</> are
checked for all the referenced target tables depending on the kind of checked for all the referenced target tables depending on the kind of
statement; statement; in addition, <literal>db_table:select</> is also checked for
in addition, <literal>db_table:select</> is also checked for all the tables that contain columns referenced in the
all the tables that contain the columns referenced in the
<literal>WHERE</> or <literal>RETURNING</> clause, as a data source <literal>WHERE</> or <literal>RETURNING</> clause, as a data source
of <literal>UPDATE</>, and so on. For example, consider: for <literal>UPDATE</>, and so on.
</para>
<para>
Column-level permissions will also be checked for each referenced column.
<literal>db_column:select</> is checked on not only the columns being
read using <literal>SELECT</>, but those being referenced in other DML
statements; <literal>db_column:update</> or <literal>db_column:insert</>
will also be checked for columns being modified by <literal>UPDATE</> or
<literal>INSERT</>.
</para>
<para>
For example, consider:
<synopsis> <synopsis>
UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
</synopsis> </synopsis>
In this case we must have <literal>db_table:select</> in addition to Here, <literal>db_column:update</> will be checked for
<literal>db_table:update</>, because <literal>t1.a</> is referenced <literal>t1.x</>, since it is being updated,
within the <literal>WHERE</> clause. Column-level permissions will also be <literal>db_column:{select update}</> will be checked for
checked for each referenced column. <literal>t1.y</>, since it is both updated and referenced, and
</para> <literal>db_column:select</> will be checked for <literal>t1.z</>, since
it is only referenced.
<para>
For columns, <literal>db_column:select</> is checked on
not only the columns being read using <literal>SELECT</>, but those being
referenced in other DML statements.
Of course, it also checks <literal>db_column:update</> or
<literal>db_column:insert</> on columns being modified by
<literal>UPDATE</> or <literal>INSERT</>.
</para>
<para>
<synopsis>
UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
</synopsis>
In this case, it checks <literal>db_column:update</> on the column
<literal>t1.x</> being updated, <literal>db_column:{select update}</>
on the column <literal>t1.y</> being updated and referenced, and
<literal>db_column:select</> on the column <literal>t1.z</>, since that is
only referenced in the <literal>WHERE</> clause.
<literal>db_table:{select update}</> will also be checked <literal>db_table:{select update}</> will also be checked
at the table level. at the table level.
</para> </para>