bryan-vh
Reputation: 199
Does row-level security (RLS) apply on a join statement?
Given the following (simplified) tables:
users
-----
id (pk)
posts
-----
id (pk)
user_id (fk)
likes
-----
user_id (pk)
post_id (pk)
If I run the following query to get which posts a user (?) liked:
SELECT *
FROM posts p
INNER JOIN likes l
ON l.post_id = p.id
WHERE l.user_id = ?
Would the RLS policy for SELECT on the likes table and posts table both be invoked, or would it only apply to the posts table since that is where we are SELECTing FROM? I'm under the assumptiom that it would apply for both tables, but just wanted to double check and make sure. I'm using PostgreSQL if that makes any difference.
Thanks for any help!
Upvotes: 1
Views: 1416
Answers (1)
Gordon Linoff
Reputation: 1269633
If a user doesn't have permission to see rows in a table, that applies to the entire query, not just to the columns being returned.
Basically, the table (or rows) will be invisible to the user.
Upvotes: 2
Related Questions
- PostgreSQL row-level security involving a view or a select with join
- PostgreSQL RLS explicit Policies
- Row-level-security dual join
- How does row level security (RLS) interact with traditional GRANT roles
- PostgreSQL row-level security involving foreign key with other table
- PostgreSQL RLS is not applied as intended
- Postgresql simple Row-Level Security (RLS)
- Row level security only on SELECT
- PostgreSQL query not using INDEX when RLS (Row Level Security) is enabled
- Row Level Security in Postgres on Normalized Tables