db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mamta A. Satoor (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-4191) Lack of SELECT privilege does not prevent SELECT COUNT(*)
Date Fri, 11 Dec 2009 22:20:18 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12789577#action_12789577

Mamta A. Satoor commented on DERBY-4191:

While trying so more test cases, I found another test case for update that does not collect
select privilege requirement. 

java -Dderby.database.sqlAuthorization=true -Dij.exceptionTrace=true org.apache.derby.tools.ij
connect 'jdbc:derby:c:/dellater/db1;user=dbo;create=true' as dbo;
create table t( a int, b int ); 
grant update on t to public; 
connect 'jdbc:derby:c:/dellater/db1;user=user2' as user2; 
-- with my last patch(DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt), following now
will give an error
update dbo.t set a = ( select max(a) + 2 from dbo.t ); 
--grant select privilege on dbo.t(a) to user2
set connection dbo;
grant select(a) on t to user2;
set connection user2;
-- now the following will succeed
update dbo.t set a = ( select max(a) + 2 from dbo.t ); 
--BUT FOLLOWING SHOULD NOT SUCCEED because there is no select privilege on column b
update dbo.t set a = ( select max(b) + 2 from dbo.t ); 

So, it appears that we are not collecting individual select privilege for a subquery hidden
inside update. I will look further into it. Wonder if there are other cases where we are missing
on collecting the select privileges. I tried the test case about without my changes on a different
trunk client(that client has some other changes but they are not related to privilege collection)
and the buggy behavior can be seen there, too. I just wanted to be sure that my changes for
this jira didn't cause any regression.

> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>                 Key: DERBY-4191
>                 URL: https://issues.apache.org/jira/browse/DERBY-4191
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions:,
>            Reporter: Knut Anders Hatlen
>            Assignee: Mamta A. Satoor
>         Attachments: DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt,
DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt, DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt,
DERBY4191_countStar_privilege_diff_patch1.txt, DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt,
DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt, DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt,
DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
> A user that does not have SELECT privilege on a table can still perform a SELECT COUNT(*)
on that table. Counting a specific column (e.g., SELECT COUNT(X)) is prevented.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message