Reputation: 5222
Postgres: auto-populating an `INSERT` field based on session variable
I have a web app backed by Postgres.
- Each web app request should only read/write data for the current logged-in user.
- Every table with user data has a
user_idcolumn.
I occasionally have bugs where I forget to add user_id = ? to the WHERE clause of an SQL request. To protect against this problem in a general way, I'm looking into Postgres row-level security (article):
- Set a policy on every user data table:
CREATE POLICY table_policy ON table USING (user_id::TEXT = current_setting('app.user_id')) - In the web app, when a request begins, set the current logged-in user ID on the request's connection:
SET app.user_id = ?.
This allows me to completely ignore user_id when writing SELECT and UPDATE requests.
My remaining problem is INSERTs. Is there a way to avoid having to provide user_id on INSERTs?
Upvotes: 3
Views: 264
Answers (1)
Reputation: 7065
Just having a look at the manual :
Existing table rows are checked against the expression specified in USING, while new rows that would be created via INSERT or UPDATE are checked against the expression specified in WITH CHECK
it seems that you just have to add a WITH CHECK clause to your policy in addition of the USING clause, and which will apply to the INSERT and UPDATE statements.
Upvotes: 1
Related Questions
- How Do I Create an "Any Logged-In User" Policy With PostgreSQL Row-Level Security
- How to implement RLS for SELECT and INSERT seperately
- Postgres row level security insert returning
- How to automatically set a field based on another field when inserting a row in PostgreSQL?
- How to make INSERT ... RETURNING statement work when using Row Level Security (RLS)?
- Setting local config in SQL before INSERT
- postgresql row level security with session variable
- How Do I Insert Into a Table With Row Level Security?
- Postgresql Row Level Security Checking new data in WITH CHECK in Policy for INSERT
- PostgreSQL: dynamic row values (?)