7 files changed, 39 insertions, 7 deletions
diff --git a/src/backend/commands/policy.c b/src/backend/commands/policy.c
index d8b43908ec4..bcf4a8f35d1 100644
--- a/src/backend/commands/policy.c
+++ b/src/backend/commands/policy.c
@@ -534,12 +534,12 @@ CreatePolicy(CreatePolicyStmt *stmt)
 
 	qual = transformWhereClause(qual_pstate,
 								copyObject(stmt->qual),
-								EXPR_KIND_WHERE,
+								EXPR_KIND_POLICY,
 								"POLICY");
 
 	with_check_qual = transformWhereClause(with_check_pstate,
 										   copyObject(stmt->with_check),
-										   EXPR_KIND_WHERE,
+										   EXPR_KIND_POLICY,
 										   "POLICY");
 
 	/* Fix up collation information */
@@ -707,7 +707,7 @@ AlterPolicy(AlterPolicyStmt *stmt)
 		addRTEtoQuery(qual_pstate, rte, false, true, true);
 
 		qual = transformWhereClause(qual_pstate, copyObject(stmt->qual),
-									EXPR_KIND_WHERE,
+									EXPR_KIND_POLICY,
 									"POLICY");
 
 		/* Fix up collation information */
@@ -730,7 +730,7 @@ AlterPolicy(AlterPolicyStmt *stmt)
 
 		with_check_qual = transformWhereClause(with_check_pstate,
 											   copyObject(stmt->with_check),
-											   EXPR_KIND_WHERE,
+											   EXPR_KIND_POLICY,
 											   "POLICY");
 
 		/* Fix up collation information */
diff --git a/src/backend/parser/parse_agg.c b/src/backend/parser/parse_agg.c
index 478d8ca70bd..3846b569d6f 100644
--- a/src/backend/parser/parse_agg.c
+++ b/src/backend/parser/parse_agg.c
@@ -373,6 +373,13 @@ check_agglevels_and_constraints(ParseState *pstate, Node *expr)
 		case EXPR_KIND_WHERE:
 			errkind = true;
 			break;
+		case EXPR_KIND_POLICY:
+			if (isAgg)
+				err = _("aggregate functions are not allowed in policy expressions");
+			else
+				err = _("grouping operations are not allowed in policy expressions");
+
+			break;
 		case EXPR_KIND_HAVING:
 			/* okay */
 			break;
@@ -770,6 +777,9 @@ transformWindowFuncCall(ParseState *pstate, WindowFunc *wfunc,
 		case EXPR_KIND_WHERE:
 			errkind = true;
 			break;
+		case EXPR_KIND_POLICY:
+			err = _("window functions are not allowed in policy expressions");
+			break;
 		case EXPR_KIND_HAVING:
 			errkind = true;
 			break;
diff --git a/src/backend/parser/parse_expr.c b/src/backend/parser/parse_expr.c
index 0ff46dd457c..fa77ef1f8bb 100644
--- a/src/backend/parser/parse_expr.c
+++ b/src/backend/parser/parse_expr.c
@@ -1672,6 +1672,7 @@ transformSubLink(ParseState *pstate, SubLink *sublink)
 		case EXPR_KIND_FROM_SUBSELECT:
 		case EXPR_KIND_FROM_FUNCTION:
 		case EXPR_KIND_WHERE:
+		case EXPR_KIND_POLICY:
 		case EXPR_KIND_HAVING:
 		case EXPR_KIND_FILTER:
 		case EXPR_KIND_WINDOW_PARTITION:
@@ -3173,6 +3174,8 @@ ParseExprKindName(ParseExprKind exprKind)
 			return "function in FROM";
 		case EXPR_KIND_WHERE:
 			return "WHERE";
+		case EXPR_KIND_POLICY:
+			return "POLICY";
 		case EXPR_KIND_HAVING:
 			return "HAVING";
 		case EXPR_KIND_FILTER:
diff --git a/src/include/parser/parse_node.h b/src/include/parser/parse_node.h
index 7ecaffc0dc3..52499453690 100644
--- a/src/include/parser/parse_node.h
+++ b/src/include/parser/parse_node.h
@@ -63,7 +63,8 @@ typedef enum ParseExprKind
 	EXPR_KIND_INDEX_PREDICATE,	/* index predicate */
 	EXPR_KIND_ALTER_COL_TRANSFORM,		/* transform expr in ALTER COLUMN TYPE */
 	EXPR_KIND_EXECUTE_PARAMETER,	/* parameter value in EXECUTE */
-	EXPR_KIND_TRIGGER_WHEN		/* WHEN condition in CREATE TRIGGER */
+	EXPR_KIND_TRIGGER_WHEN,		/* WHEN condition in CREATE TRIGGER */
+	EXPR_KIND_POLICY			/* USING or WITH CHECK expr in policy */
 } ParseExprKind;
 
 
diff --git a/src/test/modules/test_rls_hooks/test_rls_hooks.c b/src/test/modules/test_rls_hooks/test_rls_hooks.c
index 61b62d55b4c..d76b17ae46a 100644
--- a/src/test/modules/test_rls_hooks/test_rls_hooks.c
+++ b/src/test/modules/test_rls_hooks/test_rls_hooks.c
@@ -106,7 +106,7 @@ test_rls_hooks_permissive(CmdType cmdtype, Relation relation)
 	e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
 
 	policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
-												 EXPR_KIND_WHERE,
+												 EXPR_KIND_POLICY,
 												 "POLICY");
 
 	policy->with_check_qual = copyObject(policy->qual);
@@ -160,7 +160,7 @@ test_rls_hooks_restrictive(CmdType cmdtype, Relation relation)
 	e = (Node *) makeSimpleA_Expr(AEXPR_OP, "=", (Node *) n, (Node *) c, 0);
 
 	policy->qual = (Expr *) transformWhereClause(qual_pstate, copyObject(e),
-												 EXPR_KIND_WHERE,
+												 EXPR_KIND_POLICY,
 												 "POLICY");
 
 	policy->with_check_qual = copyObject(policy->qual);
diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
index b146da373c3..b0556c2ff1f 100644
--- a/src/test/regress/expected/rowsecurity.out
+++ b/src/test/regress/expected/rowsecurity.out
@@ -3024,6 +3024,15 @@ CREATE RULE "_RETURN" AS ON SELECT TO t DO INSTEAD
   SELECT * FROM generate_series(1,5) t0(c); -- succeeds
 ROLLBACK;
 --
+-- Policy expression handling
+--
+BEGIN;
+SET row_security = FORCE;
+CREATE TABLE t (c) AS VALUES ('bar'::text);
+CREATE POLICY p ON t USING (max(c)); -- fails: aggregate functions are not allowed in policy expressions
+ERROR:  aggregate functions are not allowed in policy expressions
+ROLLBACK;
+--
 -- Clean up objects
 --
 RESET SESSION AUTHORIZATION;
diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
index 54f2c89eda3..300f34ad4bf 100644
--- a/src/test/regress/sql/rowsecurity.sql
+++ b/src/test/regress/sql/rowsecurity.sql
@@ -1290,6 +1290,15 @@ CREATE RULE "_RETURN" AS ON SELECT TO t DO INSTEAD
 ROLLBACK;
 
 --
+-- Policy expression handling
+--
+BEGIN;
+SET row_security = FORCE;
+CREATE TABLE t (c) AS VALUES ('bar'::text);
+CREATE POLICY p ON t USING (max(c)); -- fails: aggregate functions are not allowed in policy expressions
+ROLLBACK;
+
+--
 -- Clean up objects
 --
 RESET SESSION AUTHORIZATION;