db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Closed: (DERBY-3743) Revoking EXECUTE privilege on a function is not restricted if used in a CHECK constraint
Date Tue, 01 Jul 2008 13:56:45 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Dag H. Wanvik closed DERBY-3743.

    Resolution: Invalid

Closing this, my repro was at error, sorry for the noise.

> Revoking EXECUTE privilege on a function is not restricted if used in a CHECK constraint
> ----------------------------------------------------------------------------------------
>                 Key: DERBY-3743
>                 URL: https://issues.apache.org/jira/browse/DERBY-3743
>             Project: Derby
>          Issue Type: Bug
>          Components: Security, SQL
>    Affects Versions:
>            Reporter: Dag H. Wanvik
> The docs say that REVOKE EXECUTE ... RESTRICT should 
> fail if there is a dependent constraint:
> "The RESTRICT clause specifies that the EXECUTE privilege cannot be
>  revoked if the specified routine is used in a view, trigger, or
>  constraint, and the privilege is being revoked from the owner of the
>  view, trigger, or constraint."
> In this case the function f_abs is used in a CHECK
> constraint. Revoking the privilege, however, is not restricted as
> specified. 
> Running GrantRevokeDDLTest with the enclosed patch (revoke-bug.diff)
> on trunk I see:
> 1) testGrantRevokeDDL(org.apache.derbyTesting.functionTests.tests.lang.GrantRevokeDDLTest)java.sql.SQLSyntaxErrorException:
User 'MAMTA3' does not have execute permission on FUNCTION 'MAMTA1'.'F_ABS'.
> which shows that the revoke statement succeeded.
> From inspecting the code, it seems that the dependency is not
> registered in storeConstraintDependenciesOnPrivileges, which seems to
> only care about REFERENCES privileges for constraints.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message