1

从安全的角度来看,以下策略的实施是否等效?

隐式:

CREATE POLICY test_access_policy ON test 
  TO PUBLIC 
  USING (id = (current_setting('rls.id'::TEXT))) 
  WITH CHECK (TRUE);

显式:

CREATE POLICY test_insert_policy ON test 
  FOR INSERT TO PUBLIC
  WITH CHECK (TRUE);   

CREATE POLICY test_select_policy ON test
  FOR SELECT TO PUBLIC 
  USING (id = (current_setting('rls.id'::TEXT)));  

CREATE POLICY test_update_policy ON test 
  FOR UPDATE TO PUBLIC
  USING (id = (current_setting('rls.id'::TEXT)));   

CREATE POLICY test_delete_policy ON test 
  FOR DELETE TO PUBLIC 
USING (id = (current_setting('rls.id'::TEXT)));

我担心的是更新政策,如文档中所述:

任何更新值未通过 WITH CHECK 表达式的行都将导致错误,并且整个命令将被中止。如果仅指定了 USING 子句,则该子句将用于 USING 和 WITH CHECK 情况。

据我了解,隐式版本(oneliner)的等效更新策略如下:

CREATE POLICY test_update_policy ON test 
  FOR UPDATE TO PUBLIC 
  USING (id = (current_setting('rls.id'::TEXT))) WITH CHECK (TRUE);

而显式版本是:

CREATE POLICY test_update_policy ON test 
  FOR UPDATE TO PUBLIC 
  USING (id = (current_setting('rls.id'::TEXT))) WITH CHECK (id =
(current_setting('rls.id'::TEXT)));

在测试了这两种情况后,我没有找到任何安全桥,我错过了什么吗?

4

1 回答 1

2

您的解释是正确的,您必须添加WITH CHECK (TRUE)FOR UPDATE策略中才能获得等效定义。

不同之处在于它WITH CHECK (TRUE)允许您将值更改为任何值,如果没有它,如果新行版本与条件不匹配,您将收到错误消息。

于 2021-11-18T10:11:45.360 回答