On 10/02/2022 12:43, Dmitry Yemanov wrote: > 10.02.2022 15:57, Adriano dos Santos Fernandes wrote: >> >>> >>> If we need to take roles into an account - only for attachment with same >>> USER. >> >> Even without shared cache, user can change its roles with SET ROLES and >> new prepared statements should work as before even when they were >> previously cached with different roles. > > I'm not sure I get why security credentials should affect the cache at > all. From the runtime POV, all BLR/SQL operations > (current_user/current_role/rdb$*_roles) are redirected to Attachment, > AFAIK we don't store anything role-specific inside the statement tree. > From the security POV, we just need to execute verifyAccess() for the > request retrieved from the cache. > > What am I missing? >
I come with this requirement because verifyAccess is currently part of compilation. But as I said and Vlad also said, we can remove roles from key and verify (with verification cache) after get statement from cache. This would be better. Adriano Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
