OpenAPI is always showing GET/POST/DELETE/PATCH on tables/views despite permissions

[FrankvdAa]

If a certain user isn't granted access to a certain table or view, it's not shown in the OpenAPI output, which seems correct.

But, views only allow for SELECT queries so why showing also POST/DELETE/PATCH options? Also, if I only allow certain access to a table, I would only expect the corresponding features in OpenAPI output.

Is there a reason that the OpenAPI is always showing GET/POST/DELETE/PATCH features for all tables and views?

[wolfgangwalther]

But, views only allow for SELECT queries

This is not correct. See https://www.postgresql.org/docs/current/rules-views.html#RULES-VIEWS-UPDATE. Views can be made to support INSERT, UPDATE and DELETE.

Is there a reason that the OpenAPI is always showing GET/POST/DELETE/PATCH features for all tables and views?

The only reason is that a more fine-grained output is not implemented, yet. We are unlikely to make major changes to the OpenAPI output right now, because we expect to move it out of core alltogether (see #1698). Once we have solved that, we're in a much better position to improve OpenAPI a lot.

[FrankvdAa]

This is not correct. See https://www.postgresql.org/docs/current/rules-views.html#RULES-VIEWS-UPDATE. Views can be made to support INSERT, UPDATE and DELETE.

Good to know, wasn't aware of that. I'll then just have to wait for #1698 to be completed.

Thanks!

[laurenceisla]

Btw, here are the steps to reproduce this: #2443 (comment)