WITH CHECK OPTION support for auto-updatable VIEWs

For simple views which are automatically updatable, this patch allows
the user to specify what level of checking should be done on records
being inserted or updated.  For 'LOCAL CHECK', new tuples are validated
against the conditionals of the view they are being inserted into, while
for 'CASCADED CHECK' the new tuples are validated against the
conditionals for all views involved (from the top down).

This option is part of the SQL specification.

Dean Rasheed, reviewed by Pavel Stehule

Author: sfrost

doc/src/sgml/ref/alter_view.sgml

@@ -28,6 +28,11 @@ ALTER VIEW [ IF EXISTS ] <replaceable class="parameter">name</replaceable> RENAM
 ALTER VIEW [ IF EXISTS ] <replaceable class="parameter">name</replaceable> SET SCHEMA <replaceable class="parameter">new_schema</replaceable>
 ALTER VIEW [ IF EXISTS ] <replaceable class="parameter">name</replaceable> SET ( <replaceable class="parameter">view_option_name</replaceable> [= <replaceable class="parameter">view_option_value</replaceable>] [, ... ] )
 ALTER VIEW [ IF EXISTS ] <replaceable class="parameter">name</replaceable> RESET ( <replaceable class="parameter">view_option_name</replaceable> [, ... ] )
+
+<phrase>where <replaceable class="parameter">view_option_name</replaceable> can be one of:</phrase>
+
+    security_barrier [ <replaceable class="parameter">boolean</replaceable> ]
+    check_option [ <replaceable class="parameter">text</replaceable> (<literal>local</literal> or <literal>cascaded</literal>) ]
 </synopsis>
  </refsynopsisdiv>
 

doc/src/sgml/ref/create_view.sgml

@@ -24,6 +24,12 @@ PostgreSQL documentation
 CREATE [ OR REPLACE ] [ TEMP | TEMPORARY ] [ RECURSIVE ] VIEW <replaceable class="PARAMETER">name</replaceable> [ ( <replaceable class="PARAMETER">column_name</replaceable> [, ...] ) ]
     [ WITH ( <replaceable class="PARAMETER">view_option_name</replaceable> [= <replaceable class="PARAMETER">view_option_value</replaceable>] [, ... ] ) ]
     AS <replaceable class="PARAMETER">query</replaceable>
+    [ WITH [ CASCADED | LOCAL ] CHECK OPTION ]
+
+<phrase>where <replaceable class="parameter">view_option_name</replaceable> can be one of:</phrase>
+
+    security_barrier [ <replaceable class="parameter">boolean</replaceable> ]
+    check_option [ <replaceable class="parameter">text</replaceable> (<literal>local</literal> or <literal>cascaded</literal>) ]
 </synopsis>
  </refsynopsisdiv>
 
@@ -120,10 +126,33 @@ CREATE VIEW <replaceable>name</> AS WITH RECURSIVE <replaceable>name</> (<replac
     <term><literal>WITH ( <replaceable class="PARAMETER">view_option_name</replaceable> [= <replaceable class="PARAMETER">view_option_value</replaceable>] [, ... ] )</literal></term>
     <listitem>
      <para>
-      This clause specifies optional parameters for a view; currently, the
-      only supported parameter name is <literal>security_barrier</literal>,
-      which should be enabled when a view is intended to provide row-level
-      security.  See <xref linkend="rules-privileges"> for full details.
+      This clause specifies optional parameters for a view; the following
+      parameters are supported:
+
+      <variablelist>
+       <varlistentry>
+        <term><literal>security_barrier(boolean)</literal></term>
+        <listitem>
+         <para>
+          This should be used if the view is intended to provide row-level
+          security.  See <xref linkend="rules-privileges"> for full details.
+         </para>
+        </listitem>
+       </varlistentry>
+
+       <varlistentry>
+        <term><literal>check_option(text)</literal></term>
+        <listitem>
+         <para>
+          This parameter may be either <literal>local</> or
+          <literal>cascaded</>, and is equivalent to specifying
+          <literal>WITH [ CASCADED | LOCAL ] CHECK OPTION</> (see below).
+          This option can be changed on existing views using <xref
+          linkend="sql-alterview">.
+         </para>
+        </listitem>
+       </varlistentry>
+      </variablelist>
      </para>
     </listitem>
    </varlistentry>
@@ -138,6 +167,77 @@ CREATE VIEW <replaceable>name</> AS WITH RECURSIVE <replaceable>name</> (<replac
      </para>
     </listitem>
    </varlistentry>
+
+   <varlistentry>
+    <term><literal>WITH [ CASCADED | LOCAL ] CHECK OPTION</literal></term>
+    <listitem>
+     <para>
+      <indexterm zone="SQL-CREATEVIEW">
+       <primary>CHECK OPTION</primary>
+      </indexterm>
+      <indexterm zone="SQL-CREATEVIEW">
+       <primary>WITH CHECK OPTION</primary>
+      </indexterm>
+      This option controls the behavior of automatically updatable views.  When
+      this option is specified, <command>INSERT</> and <command>UPDATE</>
+      commands on the view will be checked to ensure that new rows satisfy the
+      view-defining condition (that is, the new rows are checked to ensure that
+      they are visible through the view).  If they are not, the update will be
+      rejected.  If the <literal>CHECK OPTION</> is not specified,
+      <command>INSERT</> and <command>UPDATE</> commands on the view are
+      allowed to create rows that are not visible through the view.  The
+      following check options are supported:
+
+      <variablelist>
+       <varlistentry>
+        <term><literal>LOCAL</literal></term>
+        <listitem>
+         <para>
+          New rows are only checked against the conditions defined directly in
+          the view itself.  Any conditions defined on underlying base views are
+          not checked (unless they also specify the <literal>CHECK OPTION</>).
+         </para>
+        </listitem>
+       </varlistentry>
+
+       <varlistentry>
+        <term><literal>CASCADED</literal></term>
+        <listitem>
+         <para>
+          New rows are checked against the conditions of the view and all
+          underlying base views.  If the <literal>CHECK OPTION</> is specified,
+          and neither <literal>LOCAL</> nor <literal>CASCADED</> is specified,
+          then <literal>CASCADED</> is assumed.
+         </para>
+        </listitem>
+       </varlistentry>
+      </variablelist>
+     </para>
+
+     <para>
+      The <literal>CHECK OPTION</> may not be used with <literal>RECURSIVE</>
+      views.
+     </para>
+
+     <para>
+      Note that the <literal>CHECK OPTION</> is only supported on views that
+      are automatically updatable, and do not have <literal>INSTEAD OF</>
+      triggers or <literal>INSTEAD</> rules.  If an automatically updatable
+      view is defined on top of a base view that has <literal>INSTEAD OF</>
+      triggers, then the <literal>LOCAL CHECK OPTION</> may be used to check
+      the conditions on the automatically updatable view, but the conditions
+      on the base view with <literal>INSTEAD OF</> triggers will not be
+      checked (a cascaded check option will not cascade down to a
+      trigger-updatable view, and any check options defined directly on a
+      trigger-updatable view will be ignored).  If the view or any of its base
+      relations has an <literal>INSTEAD</> rule that causes the
+      <command>INSERT</> or <command>UPDATE</> command to be rewritten, then
+      all check options will be ignored in the rewritten query, including any
+      checks from automatically updatable views defined on top of the relation
+      with the <literal>INSTEAD</> rule.
+     </para>
+    </listitem>
+   </varlistentry>
   </variablelist>
  </refsect1>
 
@@ -256,7 +356,9 @@ CREATE VIEW vista AS SELECT text 'Hello World' AS hello;
     condition, and thus is no longer visible through the view.  Similarly,
     an <command>INSERT</> command can potentially insert base-relation rows
     that do not satisfy the <literal>WHERE</> condition and thus are not
-    visible through the view.
+    visible through the view.  The <literal>CHECK OPTION</> may be used to
+    prevent <command>INSERT</> and <command>UPDATE</> commands from creating
+    such rows that are not visible through the view.
    </para>
 
    <para>
@@ -300,6 +402,38 @@ CREATE VIEW comedies AS
    the table will not be part of the view.
   </para>
 
+  <para>
+   Create a view with <literal>LOCAL CHECK OPTION</>:
+
+<programlisting>
+CREATE VIEW universal_comedies AS
+    SELECT *
+    FROM comedies
+    WHERE classification = 'U'
+    WITH LOCAL CHECK OPTION;
+</programlisting>
+   This will create a view based on the <literal>comedies</> view, showing
+   only films with <literal>kind = 'Comedy'</> and
+   <literal>classification = 'U'</>. Any attempt to <command>INSERT</> or
+   <command>UPDATE</> a row in the view will be rejected if the new row
+   doesn't have <literal>classification = 'U'</>, but the film
+   <literal>kind</> will not be checked.
+  </para>
+
+  <para>
+   Create a view with <literal>CASCADED CHECK OPTION</>:
+
+<programlisting>
+CREATE VIEW pg_comedies AS
+    SELECT *
+    FROM comedies
+    WHERE classification = 'PG'
+    WITH CASCADED CHECK OPTION;
+</programlisting>
+   This will create a view that checks both the <literal>kind</> and
+   <literal>classification</> of new rows.
+  </para>
+
   <para>
    Create a recursive view consisting of the numbers from 1 to 100:
 <programlisting>
@@ -313,64 +447,11 @@ UNION ALL
  <refsect1>
   <title>Compatibility</title>
 
-  <para>
-   The SQL standard specifies some additional capabilities for the
-   <command>CREATE VIEW</command> statement:
-<synopsis>
-CREATE VIEW <replaceable class="parameter">name</replaceable> [ ( <replaceable class="parameter">column_name</replaceable> [, ...] ) ]
-    AS <replaceable class="PARAMETER">query</replaceable>
-    [ WITH [ CASCADED | LOCAL ] CHECK OPTION ]
-</synopsis>
-  </para>
-
-  <para>
-   The optional clauses for the full SQL command are:
-
-   <variablelist>
-     <varlistentry>
-      <term><literal>CHECK OPTION</literal></term>
-      <listitem>
-       <para>
-        This option controls the behavior of automatically updatable views.
-        When given, <command>INSERT</> and <command>UPDATE</> commands on
-        the view will be checked to ensure new rows satisfy the
-        view-defining condition (that is, the new rows would be visible
-        through the view). If they do not, the update will be rejected.
-        Without <literal>CHECK OPTION</literal>, <command>INSERT</> and
-        <command>UPDATE</> commands on the view are allowed to create rows
-        that are not visible through the view.  (The latter behavior is the
-        only one currently provided by <productname>PostgreSQL</>.)
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term><literal>LOCAL</literal></term>
-      <listitem>
-       <para>
-        Check for integrity on this view.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry>
-      <term><literal>CASCADED</literal></term>
-      <listitem>
-       <para>
-        Check for integrity on this view and on any dependent
-        view. <literal>CASCADED</> is assumed if neither
-        <literal>CASCADED</> nor <literal>LOCAL</> is specified.
-       </para>
-      </listitem>
-     </varlistentry>
-   </variablelist>
-  </para>
-
   <para>
    <command>CREATE OR REPLACE VIEW</command> is a
    <productname>PostgreSQL</productname> language extension.
    So is the concept of a temporary view.
-   The <literal>WITH</> clause is an extension as well.
+   The <literal>WITH ( ... )</> clause is an extension as well.
   </para>
  </refsect1>
 

src/backend/access/common/reloptions.c

@@ -24,6 +24,7 @@
 #include "catalog/pg_type.h"
 #include "commands/defrem.h"
 #include "commands/tablespace.h"
+#include "commands/view.h"
 #include "nodes/makefuncs.h"
 #include "utils/array.h"
 #include "utils/attoptcache.h"
@@ -248,6 +249,17 @@ static relopt_string stringRelOpts[] =
 		gistValidateBufferingOption,
 		"auto"
 	},
+	{
+		{
+			"check_option",
+			"View has WITH CHECK OPTION defined (local or cascaded).",
+			RELOPT_KIND_VIEW
+		},
+		0,
+		true,
+		validateWithCheckOption,
+		NULL
+	},
 	/* list terminator */
 	{{NULL}}
 };
@@ -1152,6 +1164,8 @@ default_reloptions(Datum reloptions, bool validate, relopt_kind kind)
 		offsetof(StdRdOptions, autovacuum) +offsetof(AutoVacOpts, analyze_scale_factor)},
 		{"security_barrier", RELOPT_TYPE_BOOL,
 		offsetof(StdRdOptions, security_barrier)},
+		{"check_option", RELOPT_TYPE_STRING,
+		offsetof(StdRdOptions, check_option_offset)},
 	};
 
 	options = parseRelOptions(reloptions, validate, kind, &numoptions);

src/backend/catalog/information_schema.sql

@@ -2494,7 +2494,13 @@ CREATE VIEW views AS
                   ELSE null END
              AS character_data) AS view_definition,
 
-           CAST('NONE' AS character_data) AS check_option,
+           CAST(
+             CASE WHEN 'check_option=cascaded' = ANY (c.reloptions)
+                  THEN 'CASCADED'
+                  WHEN 'check_option=local' = ANY (c.reloptions)
+                  THEN 'LOCAL'
+                  ELSE 'NONE' END
+             AS character_data) AS check_option,
 
            CAST(
              -- (1 << CMD_UPDATE) + (1 << CMD_DELETE)

src/backend/catalog/sql_features.txt

@@ -227,7 +227,7 @@ F311	Schema definition statement			NO
 F311	Schema definition statement	01	CREATE SCHEMA	YES	
 F311	Schema definition statement	02	CREATE TABLE for persistent base tables	YES	
 F311	Schema definition statement	03	CREATE VIEW	YES	
-F311	Schema definition statement	04	CREATE VIEW: WITH CHECK OPTION	NO	
+F311	Schema definition statement	04	CREATE VIEW: WITH CHECK OPTION	YES	
 F311	Schema definition statement	05	GRANT statement	YES	
 F312	MERGE statement			NO	
 F313	Enhanced MERGE statement			NO	
@@ -301,7 +301,7 @@ F711	ALTER domain			YES
 F721	Deferrable constraints			NO	foreign and unique keys only
 F731	INSERT column privileges			YES	
 F741	Referential MATCH types			NO	no partial match yet
-F751	View CHECK enhancements			NO	
+F751	View CHECK enhancements			YES	
 F761	Session management			YES	
 F762	CURRENT_CATALOG			YES	
 F763	CURRENT_SCHEMA			YES	

src/backend/commands/tablecmds.c

@@ -8774,6 +8774,42 @@ ATExecSetRelOptions(Relation rel, List *defList, AlterTableType operation,
 			break;
 	}
 
+	/* Special-case validation of view options */
+	if (rel->rd_rel->relkind == RELKIND_VIEW)
+	{
+		Query	   *view_query = get_view_query(rel);
+		List	   *view_options = untransformRelOptions(newOptions);
+		ListCell   *cell;
+		bool		check_option = false;
+		bool		security_barrier = false;
+
+		foreach(cell, view_options)
+		{
+			DefElem    *defel = (DefElem *) lfirst(cell);
+
+			if (pg_strcasecmp(defel->defname, "check_option") == 0)
+				check_option = true;
+			if (pg_strcasecmp(defel->defname, "security_barrier") == 0)
+				security_barrier = defGetBoolean(defel);
+		}
+
+		/*
+		 * If the check option is specified, look to see if the view is
+		 * actually auto-updatable or not.
+		 */
+		if (check_option)
+		{   
+			const char *view_updatable_error =
+				view_query_is_auto_updatable(view_query, security_barrier);
+
+			if (view_updatable_error)
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						errmsg("WITH CHECK OPTION is supported only on auto-updatable views"),
+						errhint("%s", view_updatable_error)));
+		}
+	}
+
 	/*
 	 * All we need do here is update the pg_class row; the new options will be
 	 * propagated into relcaches during post-commit cache inval.