Rls

When Row-Level Security (RLS) is enabled on a table, PostgreSQL must guarantee that any user-supplied predicate cannot see rows they shouldn’t. Concretely, the RLS-derived filter is enforced before any user-provided condition. If PostgreSQL were to apply a user’s condition first, for example: 1 2 3 4 SELECT finding.id FROM findings WHERE tenant_id = '81884830-05c9-4178-aef6-d3e2a5e70284' AND text_search @@ to_tsquery('secret'); it could inadvertently reveal whether hidden rows match that condition. To prevent this, PostgreSQL only allows user predicates to be “pushed down” into an index scan if they are marked LEAKPROOF—i.e., proven never to leak information about rows. ...