db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mamta A. Satoor (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-4191) Lack of SELECT privilege does not prevent SELECT COUNT(*)
Date Wed, 16 Dec 2009 17:18:18 GMT

     [ https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mamta A. Satoor updated DERBY-4191:
-----------------------------------

    Attachment: DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt
                DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt

I have another patch, DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt.
The difference in this patch compared to earlier patches is it now collects the select privilege
requirement for a subquery involved in a DML. eg of subquery are as follows
update dbo.t set a = ( select max(a1) + 2 from dbo.t1 )
update dbo.t set a = ( select max(b1) + 2 from dbo.t2 )
For the queries above, we were not collecting any select privileges for the subquery. Instead
we were requiring update privileges on columns inside the subquery. I have made changes in
SubqueryNode to require the select privileges for the query it is working with. I have added
tests for this subquery change in this patch. 

In addition to the above changes, I have added tests for testing privileges available through
roles. These tests were missing from earlier patch for a query like 
select c1 from user1.t1, user1.t2

Please review the patch and let me know of any issues you may see with it.


> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
>                 Key: DERBY-4191
>                 URL: https://issues.apache.org/jira/browse/DERBY-4191
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.4.2.0, 10.5.1.1
>            Reporter: Knut Anders Hatlen
>            Assignee: Mamta A. Satoor
>         Attachments: DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt,
DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt, DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt,
DERBY4191_countStar_privilege_diff_patch1.txt, DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt,
DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt, DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt,
DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt, DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt,
DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a SELECT COUNT(*)
on that table. Counting a specific column (e.g., SELECT COUNT(X)) is prevented.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message