On Tue, Oct 28, 2025 at 11:06 AM Chao Li <li.evan.chao@gmail.com> wrote:
> > The attached patch did what the $subject says.
> > demo:
> >
> > begin;
> > create role alice login;
> > grant all on schema public to alice;
> > drop table if exists tts;
> > create table tts(a int);
> > grant insert on tts to alice;
> > ALTER TABLE tts ENABLE ROW LEVEL SECURITY;
> > CREATE POLICY p1 ON tts FOR ALL USING (a = 1 or a = 2 or a = 3);
> > commit;
> >
> > SET ROLE alice;
> > insert into tts values (4); --error
> >
> > old ERROR message:
> > ERROR: new row violates row-level security policy for table "tts"
> >
> > new ERROR message:
> > ERROR: new row violates row-level security policy "p1" for table "tts"
> >
> > There are fewer than 10 lines of C code changes, but turns out that in the
> > regression tests, there are many cases where only one permissive policy exists
> > for INSERT or UPDATE.
> > So the patch is not smaller.
> > <v1-0001-minor-RLS-violation-error-report-enhance.patch>
>
> I agree printing policy name to the log helps. I tried to “make" and “make check”, all passed.
https://cirrus-ci.com/task/5006265459408896?logs=test_world#L145
says test_rls_hooks test failed.
>
> A tiny comment wrt the code comment:
>
> ```
> * since if the check fails it means that no policy granted permission
> * to perform the update, rather than any particular policy being
> * violated.
> + * However, if there is only a single permissive policy clause, we can
> + * include that specific policy name in error reports when the policy is
> + * violated.
> ```
>
> * “However …” doesn’t have to go to a new line. But if you really want that, an empty comment line should be added
above“However …”. See the comment of “if” that is right above this piece of code.
>
> * “include that specific policy name” => “include that specific policy’s name”.
>
ok. now the comment is
* However, if there is only a single permissive policy clause, we can
* include that specific policy’s name in error reports when the policy
* is violated.
