Enforce INSERT RLS checks for FOR PORTION OF leftovers?

First seen: 2026-05-01 18:53:04+00:00 · Messages: 3 · Participants: 2

Latest Update

2026-05-18 · claude-opus-4-6

Incremental Update: Paul Jungwirth (FOR PORTION OF author) Responds

Paul Jungwirth, the author of the FOR PORTION OF implementation, has weighed in and taken a clear position against treating this as a bug. This is the first substantive response from a committer/feature-author.

Key Arguments

  1. Consistency with ACL skip: Paul argues that since the SQL standard motivates skipping INSERT ACL checks for leftovers, RLS INSERT checks should be skipped for the same reason — consistency between the two enforcement layers.

  2. Semantic argument — leftovers aren't "new" data: His core rationale is that leftover tuples are not introducing new information into the table; they are preserving existing history that was already present before the statement executed. The row already existed and satisfied whatever policies were in place when it was originally inserted. The leftover is just the untouched portion being re-materialized. From this perspective, applying INSERT WITH CHECK to leftovers would be checking data that already passed its policy gate.

Significance

This directly contradicts the original author's position that ACL and RLS have fundamentally different semantics (ACL = privilege to perform an action; RLS = data-shape invariant). Paul's framing rejects the "data-shape invariant" characterization for leftovers specifically because the data shape isn't changing — only the physical row boundaries are.

Proposed Resolution

Paul offers to write a documentation patch making explicit that FOR PORTION OF leftovers bypass both ACL and RLS INSERT checks, and asks whether anyone disagrees with the behavioral decision.

Open Technical Tension

The unresolved question is whether Paul's "preserving existing history" argument holds in all cases. Consider: if an INSERT policy was added after the original row was inserted (or if ALTER POLICY tightened constraints), the existing row might not satisfy current INSERT WITH CHECK conditions. The leftover re-insert silently perpetuates data that would be forbidden by today's policies. Whether this matters depends on whether one views INSERT RLS as a gate-at-time-of-creation or a persistent invariant — a philosophical distinction the thread has not yet resolved.