db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6411) Minimal select privilege should be checked in subqueries
Date Fri, 15 Nov 2013 13:25:21 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13823646#comment-13823646
] 

ASF subversion and git services commented on DERBY-6411:
--------------------------------------------------------

Commit 1542258 from [~knutanders] in branch 'code/branches/10.10'
[ https://svn.apache.org/r1542258 ]

DERBY-6411: Minimal select privilege should be checked in subqueries

Merged revision 1541461 from trunk.

> Minimal select privilege should be checked in subqueries
> --------------------------------------------------------
>
>                 Key: DERBY-6411
>                 URL: https://issues.apache.org/jira/browse/DERBY-6411
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.10.1.1
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>             Fix For: 10.10.1.3, 10.11.0.0
>
>         Attachments: d6411-1a.diff
>
>
> DERBY-4191 added checks for minimal select privilege in cases where a SELECT query didn't
access any actual column in the base table, such as SELECT COUNT(*) FROM USER1.T and SELECT
1 FROM USER1.T. That privilege checking is only done for top-level SELECT statements. It should
also be done for subqueries.
> Examples of queries where Derby does not currently check for minimal select privileges
on the accessed tables (performed as USER2, which has no privileges on any of USER1's tables):
> SELECT * FROM (SELECT COUNT(*) FROM USER1.T) S
> SELECT 1 FROM USER1.T UNION SELECT 2 FROM USER1.T
> INSERT INTO USER2.T SELECT 1 FROM USER1.T
> I believe that the above statements should have failed, but currently they succeed.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message