Challenge - 5 Problems

🎖️

Row-level Security Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ query_result

intermediate

2:00remaining

Output of a simple RLS policy query

Given a table employees with columns id, name, and department, and a row-level security policy that allows users to see only rows where department = current_setting('app.current_department'), what will be the output of the following query if app.current_department is set to 'Sales'?

SELECT name FROM employees ORDER BY id;

PostgreSQL

CREATE TABLE employees (id SERIAL PRIMARY KEY, name TEXT, department TEXT);
INSERT INTO employees (name, department) VALUES
('Alice', 'Sales'),
('Bob', 'HR'),
('Charlie', 'Sales');
ALTER TABLE employees ENABLE ROW LEVEL SECURITY;
CREATE POLICY sales_only ON employees FOR SELECT TO public USING (department = current_setting('app.current_department'));
SET app.current_department = 'Sales';

ABob

Alice
Bob
Charlie

Alice
Charlie

DNo rows returned

Attempts:

2 left

🧠 Conceptual

intermediate

2:00remaining

Understanding RLS policy effect on UPDATE

Consider a table documents with a row-level security policy that allows UPDATE only if owner = current_user. What happens if a user tries to update a row where owner is different from their username?

PostgreSQL

CREATE TABLE documents (id SERIAL PRIMARY KEY, content TEXT, owner TEXT);
ALTER TABLE documents ENABLE ROW LEVEL SECURITY;
CREATE POLICY owner_update ON documents FOR UPDATE TO public USING (owner = current_user);

AThe update succeeds only if the user owns the row; otherwise, no rows are updated.

BThe update succeeds for all rows regardless of ownership.

CThe update causes a syntax error due to policy conflict.

DThe update silently ignores the policy and updates all rows.

Attempts:

2 left

📝 Syntax

advanced

2:00remaining

Identify the syntax error in RLS policy creation

Which option contains a syntax error when creating a row-level security policy in PostgreSQL?

ACREATE POLICY user_insert ON orders FOR INSERT TO public WITH CHECK (user_id = current_user);

BCREATE POLICY user_update ON orders FOR UPDATE TO public USING (user_id = current_user);

CCREATE POLICY user_select ON orders FOR SELECT TO public USING (user_id = current_user);

DCREATE POLICY user_delete ON orders FOR DELETE TO public USING (user_id = current_user);

Attempts:

2 left

❓ optimization

advanced

2:00remaining

Optimizing RLS policy for performance

You have a large sales table with a row-level security policy filtering rows by region. Which approach improves query performance when using RLS?

ACreate an index on the <code>region</code> column to speed up filtering.

BDisable RLS and filter rows in the application code instead.

CAdd a trigger to copy rows to a separate table per region.

DUse a complex function in the policy condition to check region.

Attempts:

2 left

🔧 Debug

expert

2:00remaining

Why does this RLS policy not restrict access as expected?

A table projects has RLS enabled with this policy:

CREATE POLICY project_access ON projects FOR SELECT TO public USING (owner = current_user);

However, users can still see all rows. What is the most likely reason?

PostgreSQL

ALTER TABLE projects ENABLE ROW LEVEL SECURITY;

ARow-level security is enabled, but the policy is not applied because <code>ALTER TABLE projects FORCE ROW LEVEL SECURITY</code> was not run.

BRow-level security is enabled, but the user has the <code>bypassrls</code> role attribute.

CThe policy condition is incorrect; it should use <code>owner = session_user</code> instead of <code>current_user</code>.

DRow-level security is enabled, but the table is missing a primary key.

Attempts:

2 left