db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when permission has not been granted.
Date Tue, 10 Jul 2007 20:06:05 GMT

     [ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Kathey Marsden updated DERBY-2893:

    Attachment: DERBY-2893_diff.txt

OK. I think I have it now.  Here is the patch to fix the test. The problem was that for assertInsertPrivilege
we had 
Connection c = openUserConnection(users[0]); 

instead of 

Connection c = openUserConnection(user);
So since users[0] was the DBO the insert succeeded.  Also the error SQLState was different
than the one expected in the test, 42500 instead of 42502.  I think 42500 user does not have
permission on table is correct.

For the updates I simply uncommented the DERBY-2893 comment and it seemed to work. So I am
not sure what the original problem was there.

> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>                 Key: DERBY-2893
>                 URL: https://issues.apache.org/jira/browse/DERBY-2893
>             Project: Derby
>          Issue Type: Bug
>          Components: Security, SQL
>    Affects Versions:,,
>            Reporter: Daniel John Debrunner
>            Priority: Critical
>         Attachments: DERBY-2893_diff.txt
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
>    s.execute(command)
> } catch (SQLException sqle)
> {
>        if (!hasPrivilege) 
>             assertSQLState("42502", e);
>        else
>              fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement
should not work if hasPrivilege is false, but the test will incorrectly pass if the statement
succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
>        fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating
that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop
the test failing.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message