fn check_restrict_to_user_objects(
catalog: &impl SessionCatalog,
session: &dyn SessionMetadata,
resolved_ids: &ResolvedIds,
) -> Result<(), UnauthorizedError>Expand description
When restrict_to_user_objects is active, rejects access to system catalog objects.
Functions and types are allowed through because they are needed for query execution. All other system items (tables, views, sources, sinks, etc.) are blocked. This is an allow-list — new catalog item types are blocked by default.
See: doc/developer/design/20260508_restrict_to_user_objects.md