Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 94252 invoked from network); 11 Jan 2010 16:05:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 11 Jan 2010 16:05:15 -0000 Received: (qmail 57368 invoked by uid 500); 11 Jan 2010 16:05:15 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 57307 invoked by uid 500); 11 Jan 2010 16:05:15 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 57299 invoked by uid 99); 11 Jan 2010 16:05:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Jan 2010 16:05:15 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Jan 2010 16:05:14 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 74F43234C48D for ; Mon, 11 Jan 2010 08:04:54 -0800 (PST) Message-ID: <1943891947.154641263225894477.JavaMail.jira@brutus.apache.org> Date: Mon, 11 Jan 2010 16:04:54 +0000 (UTC) From: "Kim Haase (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Updated: (DERBY-4505) Document that views, triggers, and constraints run with definer's rights rather than invoker's rights In-Reply-To: <188756095.50981262718594373.JavaMail.jira@brutus.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DERBY-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kim Haase updated DERBY-4505: ----------------------------- Issue & fix info: [Patch Available] Thanks to you both for commenting even though I forgot to mark the issue Patch Available. > Document that views, triggers, and constraints run with definer's rights rather than invoker's rights > ----------------------------------------------------------------------------------------------------- > > Key: DERBY-4505 > URL: https://issues.apache.org/jira/browse/DERBY-4505 > Project: Derby > Issue Type: Bug > Components: Documentation > Affects Versions: 10.2.2.1, 10.2.3.0, 10.3.3.1, 10.3.4.0, 10.4.2.1, 10.4.3.0, 10.5.3.1, 10.5.4.0, 10.6.0.0 > Reporter: Rick Hillegas > Assignee: Kim Haase > Attachments: DERBY-4505.diff, DERBY-4505.stat, DERBY-4505.zip > > > Comments like the following can be found in the code, including this particular example from DDLConstantAction.storeConstraintDependenciesOnPrivileges(): > * Views and triggers and constraints run with definer's privileges. > This is an important behavior of Derby privileges which deserves to be documented. I can find only one glancing reference to this behavior, viz., in the Reference Guide section on the REVOKE command. There we learn that: > "You must use the RESTRICT clause on REVOKE statements for routines. The RESTRICT clause specifies that the EXECUTE privilege cannot be revoked if the specified routine is used in a view, trigger, or constraint, and the privilege is being revoked from the owner of the view, trigger, or constraint." > From that lone statement, a clever reader might deduce that Derby views, triggers, and constraints run with definer rather than invoker rights. But that is not the clear meaning of that statement in the Reference Guide. To draw the necessary conclusion from that statement the reader would have to be clever enough to understand the SQL Standard's tricky language around definer and invoker rights--and that would be a very clever reader indeed. > In short, we need to document this behavior explicitly. I consider this hole in our documentation to be a serious enough defect that I am marking this issue as a Bug. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.