db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DERBY-6411) Minimal select privilege should be checked in subqueries
Date Fri, 08 Nov 2013 12:48:19 GMT
Knut Anders Hatlen created DERBY-6411:
-----------------------------------------

             Summary: Minimal select privilege should be checked in subqueries
                 Key: DERBY-6411
                 URL: https://issues.apache.org/jira/browse/DERBY-6411
             Project: Derby
          Issue Type: Bug
          Components: SQL
    Affects Versions: 10.10.1.1
            Reporter: Knut Anders Hatlen
            Assignee: Knut Anders Hatlen


DERBY-4191 added checks for minimal select privilege in cases where a SELECT query didn't
access any actual column in the base table, such as SELECT COUNT(*) FROM USER1.T and SELECT
1 FROM USER1.T. That privilege checking is only done for top-level SELECT statements. It should
also be done for subqueries.

Examples of queries where Derby does not currently check for minimal select privileges on
the accessed tables (performed as USER2, which has no privileges on any of USER1's tables):

SELECT * FROM (SELECT COUNT(*) FROM USER1.T) S

SELECT 1 FROM USER1.T UNION SELECT 2 FROM USER1.T

INSERT INTO USER2.T SELECT 1 FROM USER1.T

I believe that the above statements should have failed, but currently they succeed.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message