db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mamta A. Satoor (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-4191) Lack of SELECT privilege does not prevent SELECT COUNT(*)
Date Thu, 07 Jan 2010 00:56:54 GMT

     [ https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mamta A. Satoor updated DERBY-4191:
-----------------------------------

    Attachment: DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_stat_patch6.txt
                DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt

Attaching another patch, DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt.
I have made couple changes in this patch compared to the previous Both the patches require
that user had minimum select privileges on all the tables in the select list. But the earlier
patch made that check in SelectNode whereas this patch makes that check in CursorNode. The
reason for this is for a simple DMLlike following, delete from ruth.t_ruth, a SelectNode is
generated. But that SelectNode is to generate the resultset needed for delete. From my research,
I believe CursorNode is the correct node where the minimum select privilege requirement should
go. I have added test cases mentioned by Rick for the earlier patch and those test cases along
with all the existing tests run with no problem with this patch. Another change in this patch
compared to earlier one is the select privilege requirement for subquery now happens around
the entire bind time code in SubqueryNode rather than just aroiund resultSet.bindExpressions.
Would appreciate if someone can review this patch for me to see if they see any problems with
it.

> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
>                 Key: DERBY-4191
>                 URL: https://issues.apache.org/jira/browse/DERBY-4191
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.4.2.0, 10.5.1.1
>            Reporter: Knut Anders Hatlen
>            Assignee: Mamta A. Satoor
>         Attachments: DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt,
DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt, DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt,
DERBY4191_countStar_privilege_diff_patch1.txt, DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt,
DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_stat_patch6.txt, DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt,
DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt, DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt,
DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt, DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt,
DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a SELECT COUNT(*)
on that table. Counting a specific column (e.g., SELECT COUNT(X)) is prevented.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message