doc: Clarify RLS policies applied for ON CONFLICT DO NOTHING.

On the CREATE POLICY page, the description of per-command policies
stated that SELECT policies are applied when an INSERT has an ON
CONFLICT DO NOTHING clause. However, that is only the case if it
includes an arbiter clause, so clarify that.

While at it, also clarify the comment in the regression tests that
cover this.

Author: Dean Rasheed <dean.a.rasheed@gmail.com>
Reviewed-by: Viktor Holmberg <v@viktorh.net>
Discussion: https://postgr.es/m/CAEZATCXGwMQ+x00YY9XYG46T0kCajH=21QaYL9Xatz0dLKii+g@mail.gmail.com
Backpatch-through: 14

doc/src/sgml/ref/create_policy.sgml

@@ -294,7 +294,9 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
        </para>
        <para>
          If an <literal>INSERT</literal> has an <literal>ON CONFLICT DO
-         NOTHING/UPDATE</literal> clause, <literal>SELECT</literal>
+         UPDATE</literal> clause, or an <literal>ON CONFLICT DO
+         NOTHING</literal> clause with an arbiter index or constraint
+         specification, then <literal>SELECT</literal>
          permissions are required on the relation, and the rows proposed for
          insertion are checked using the relation's <literal>SELECT</literal>
          policies.  If a row proposed for insertion does not satisfy the
@@ -540,7 +542,11 @@ CREATE POLICY <replaceable class="parameter">name</replaceable> ON <replaceable
       <row>
        <entry><command>INSERT ... ON CONFLICT</command></entry>
        <entry>
-        Check new row&nbsp;<footnote id="rls-on-conflict-priv">
+        Check new row&nbsp;<footnote>
+         <para>
+          If an arbiter index or constraint is specified.
+         </para>
+        </footnote><footnote id="rls-on-conflict-priv">
          <para>
           Row proposed for insertion is checked regardless of whether or not a
           conflict occurs.

src/test/regress/expected/rowsecurity.out

@@ -170,8 +170,9 @@ NOTICE:  SELECT USING on rls_test_tgt.(1,"tgt d","TGT D")
  1 | tgt d | TGT D
 (1 row)
 
--- INSERT ... ON CONFLICT DO NOTHING should apply INSERT CHECK and SELECT USING
--- policy clauses (to new value, whether it conflicts or not)
+-- INSERT ... ON CONFLICT DO NOTHING with an arbiter clause should apply
+-- INSERT CHECK and SELECT USING policy clauses (to new value, whether it
+-- conflicts or not)
 INSERT INTO rls_test_tgt VALUES (1, 'tgt a') ON CONFLICT (a) DO NOTHING;
 NOTICE:  INSERT CHECK on rls_test_tgt.(1,"tgt a","TGT A")
 NOTICE:  SELECT USING on rls_test_tgt.(1,"tgt a","TGT A")

src/test/regress/sql/rowsecurity.sql

@@ -121,8 +121,9 @@ BEGIN; DELETE FROM rls_test_tgt; ROLLBACK;
 BEGIN; DELETE FROM rls_test_tgt WHERE a = 1; ROLLBACK;
 DELETE FROM rls_test_tgt RETURNING *;
 
--- INSERT ... ON CONFLICT DO NOTHING should apply INSERT CHECK and SELECT USING
--- policy clauses (to new value, whether it conflicts or not)
+-- INSERT ... ON CONFLICT DO NOTHING with an arbiter clause should apply
+-- INSERT CHECK and SELECT USING policy clauses (to new value, whether it
+-- conflicts or not)
 INSERT INTO rls_test_tgt VALUES (1, 'tgt a') ON CONFLICT (a) DO NOTHING;
 INSERT INTO rls_test_tgt VALUES (1, 'tgt b') ON CONFLICT (a) DO NOTHING;