@@ -350,9 +350,18 @@ CREATE [ OR REPLACE ] FUNCTION
350
350
effects. It reveals no information about its arguments other than by
351
351
its return value. For example, a function which throws an error message
352
352
for some argument values but not others, or which includes the argument
353
- values in any error message, is not leakproof. The query planner may
354
- push leakproof functions (but not others) into views created with the
355
- <literal>security_barrier</literal> option. See
353
+ values in any error message, is not leakproof. This affects how the
354
+ system executes queries against views created with the
355
+ <literal>security_barrier</literal> option or tables with row level
356
+ security enabled. The system will enforce conditions from security
357
+ policies and security barrier views before any user-supplied conditions
358
+ from the query itself that contain non-leakproof functions, in order to
359
+ prevent the inadvertent exposure of data. Functions and operators
360
+ marked as leakproof are assumed to be trustworthy, and may be executed
361
+ before conditions from security policies and security barrier views.
362
+ In addtion, functions which do not take arguments or which are not
363
+ passed any arguments from the security barrier view or table do not have
364
+ to be marked as leakproof to be executed before security conditions. See
356
365
<xref linkend="sql-createview"> and <xref linkend="rules-privileges">.
357
366
This option can only be set by the superuser.
358
367
</para>
0 commit comments