db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dag.Wan...@Sun.COM (Dag H. Wanvik)
Subject Re: Issues with SQL Roles
Date Thu, 16 Apr 2009 17:03:07 GMT
Dag.Wanvik@Sun.COM (Dag H. Wanvik) writes:

>> "Any open result sets will remain usable as before, since these remain
>> open; even though the old (base)activation is no longer referenced
>> from the GenericActivationHolder, there is a reference to the old
>> activation from the result set, so it stays alive."
>
> Yes, this is the current behavior. I think we should keep this.  The
> privilege checking occurs at execute time (when the result set is
> constructed), and I guess it's logical that if you can see *one* row
> with a SELECT privilege, you should be able to see them all. In any
> case, prefetching of rows at several levels in Derby makes it hard to
> present a consistent picture if we chose to try to make enforcement
> immediate. I could not find anything in the standard on this.
>
> It is not there alrady it should be mentioned in the docs.

The behavior is mentioned here:

http://db.apache.org/derby/docs/dev/devguide/cdevcsecureroles.html

See the section "Revoking roles":

"A result set that depends on a role will remain open even if that
role is revoked from a user."

This is true, but holds more generally; revoke actions (privileges,
roles) do not invalidate open result sets.

Dag

Mime
View raw message