Skip to content

Commit d845fd6

Browse files
robertmhaasrobertmhaas
committed
sepgsql: Reword and fix typo in docs on DML permissions.
Per report from Christoph Berg.
1 parent 388c2f9 commit d845fd6

File tree

1 file changed

+18
-25
lines changed

1 file changed

+18
-25
lines changed

doc/src/sgml/sepgsql.sgml

Lines changed: 18 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -345,42 +345,35 @@ $ sudo semodule -r sepgsql-regtest
345345

346346
<para>
347347
For tables, <literal>db_table:select</>, <literal>db_table:insert</>,
348-
<literal>db_table:update</> or <literal>db_table:delete</> is
348+
<literal>db_table:update</> or <literal>db_table:delete</> are
349349
checked for all the referenced target tables depending on the kind of
350-
statement;
351-
in addition, <literal>db_table:select</> is also checked for
352-
all the tables that contain the columns referenced in the
350+
statement; in addition, <literal>db_table:select</> is also checked for
351+
all the tables that contain columns referenced in the
353352
<literal>WHERE</> or <literal>RETURNING</> clause, as a data source
354-
of <literal>UPDATE</>, and so on. For example, consider:
355-
356-
<synopsis>
357-
UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
358-
</synopsis>
359-
360-
In this case we must have <literal>db_table:select</> in addition to
361-
<literal>db_table:update</>, because <literal>t1.a</> is referenced
362-
within the <literal>WHERE</> clause. Column-level permissions will also be
363-
checked for each referenced column.
353+
for <literal>UPDATE</>, and so on.
364354
</para>
365355

366356
<para>
367-
For columns, <literal>db_column:select</> is checked on
368-
not only the columns being read using <literal>SELECT</>, but those being
369-
referenced in other DML statements.
370-
Of course, it also checks <literal>db_column:update</> or
371-
<literal>db_column:insert</> on columns being modified by
372-
<literal>UPDATE</> or <literal>INSERT</>.
357+
Column-level permissions will also be checked for each referenced column.
358+
<literal>db_column:select</> is checked on not only the columns being
359+
read using <literal>SELECT</>, but those being referenced in other DML
360+
statements; <literal>db_column:update</> or <literal>db_column:insert</>
361+
will also be checked for columns being modified by <literal>UPDATE</> or
362+
<literal>INSERT</>.
373363
</para>
374364

375365
<para>
366+
For example, consider:
376367
<synopsis>
377368
UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
378369
</synopsis>
379-
In this case, it checks <literal>db_column:update</> on the column
380-
<literal>t1.x</> being updated, <literal>db_column:{select update}</>
381-
on the column <literal>t1.y</> being updated and referenced, and
382-
<literal>db_column:select</> on the column <literal>t1.z</>, since that is
383-
only referenced in the <literal>WHERE</> clause.
370+
371+
Here, <literal>db_column:update</> will be checked for
372+
<literal>t1.x</>, since it is being updated,
373+
<literal>db_column:{select update}</> will be checked for
374+
<literal>t1.y</>, since it is both updated and referenced, and
375+
<literal>db_column:select</> will be checked for <literal>t1.z</>, since
376+
it is only referenced.
384377
<literal>db_table:{select update}</> will also be checked
385378
at the table level.
386379
</para>

0 commit comments

Comments
 (0)