3

I've got a table with row level permissions enabled. I've got an insert policy for my user, and I've granted permissions for them on specific columns. I added a new column to track the id of whoever inserts columns, and populate it with a BEFORE INSERT trigger.

Boiled down to the relevant parts, my table setup looks like this:

CREATE TABLE "MyTable" (
"MyId" SERIAL PRIMARY KEY,
"SomeData" NOT NULL TEXT,
"CreatedById" UUID NOT NULL
);

-- Trigger Function
CREATE FUNCTION "SetCreatedById_tr"() RETURNS TRIGGER AS $$
BEGIN
    IF current_user_id() IS NULL THEN
      RAISE EXCEPTION 'current_user_id() is NULL';
    END IF;

    NEW."CreatedById" = current_user_id(); -- Why does this work when myUser doesn't have an insert policy for "CreatedById"
    RETURN NEW;
END;
$$ LANGUAGE plpgsql VOLATILE SECURITY INVOKER;

-- BEFORE INSERT Trigger
CREATE TRIGGER "CreatedById_tr" 
    BEFORE INSERT ON "MyTable" 
    FOR EACH ROW EXECUTE FUNCTION "SetCreatedById_tr"();

-- ROW LEVEL SECURITY
ALTER TABLE "MyTable" ENABLE ROW LEVEL SECURITY;

-- POLICIES
CREATE POLICY "myUser_Insert_MyTable" ON "MyTable" FOR INSERT TO myUser WITH CHECK ("UserId" = current_user_id());
GRANT INSERT ("SomeData") ON TABLE "MyTable" TO myUser;
GRANT USAGE ON SEQUENCE "MyTable_MyId_seq" TO myUser;

When I added this feature, I notably forgot to add the "CreatedById" column to the GRANT permissions, but to my surprise, it worked anyways, which I find deeply concerning. Shouldn't the insert fail because the trigger function updated a column for which the user doesn't have the appropriate permissions? Shouldn't the SECURITY INVOKER on the trigger function mean the resulting INSERT is still constrained by the GRANT?

As it currently is set up, if 'myUser' executes this:

INSERT INTO "MyTable" ("SomeData") VALUES (input.*) RETURNING * INTO newRow;

The trigger successfully inserts the CreatedById.

However in that case I'd think this would also work:

INSERT INTO "MyTable" ("SomeData" "CreatedById") VALUES (input.*) RETURNING * INTO newRow;

But this errors as we should expect with "permission denied for table MyTable"

Improve this question
5
  • 1
    GRANT INSERT adds a permission, it does not create a policy. Commented Sep 12, 2024 at 0:21
  • Sorry if I didn't speak precisely. While I don't think it answers my question, what I get from this comment is that perhaps the subject should be updated to: Postgres Permissions violated by before-insert trigger function? Commented Sep 12, 2024 at 0:28
  • Yes, that was the intention, thanks for the edit. Using the right term creates better visibility for the question. I don't know the answer myself (that's why I didn't post one), but you've got me curious :) Commented Sep 12, 2024 at 0:35
  • Maybe off-topic, but why a trigger instead of a generated column? Commented Sep 12, 2024 at 3:26
  • Hmm, generated columns are a new concept to me. I just tried for a while but couldn't get it to work. It doesn't seem like I could ALTER COLUMN to make it a generated column, so I figured I'd need to rename my current column then do something like ALTER TABLE "MyTable" ADD COLUMN "CreatedById" UUID GENERATED ALWAYS AS (current_user_id()) STORED; But then I get errors that current_user_id() isn't immutable (it uses current_setting to get JWT data )... In any case, I use triggers for several things, and I want to know if they are violating permissions elsewhere, too. Commented Sep 12, 2024 at 6:46

1 Answer 1

Reset to default
1

The column privileges on the table only guarantee that the user is denied the right to insert "CreatedById" explicitly. Privileges are checked before the statement is executed: they only restrict which statements you are allowed to run, but they don't restrict what happens during query execution or what values are stored in the table.

To execute control over the data that get inserted, you use AFTER triggers or row-level security.

So everything is working as it should: the user cannot explicitly set "CreatedById", and the policy guarantees that the data inserted comply with the policy.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

So the idea is that a user without the column permission also could not create such a trigger on the table?
@Bergi Only that table owner or a user that has been granted TRIGGER on the table (don't ever do that!) can create a trigger on the table.
Ok, so it seems like this would be the "accepted answer" for this question, and it's basically saying that I shouldn't expect / can't force trigger functions to abide by the permissions granted to the user that triggered them?
Right. Permissions constrain a statement, not a trigger triggered by that statement.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.