Knut Anders Hatlen created DERBY-6411:
-----------------------------------------
Summary: Minimal select privilege should be checked in subqueries
Key: DERBY-6411
URL: https://issues.apache.org/jira/browse/DERBY-6411
Project: Derby
Issue Type: Bug
Components: SQL
Affects Versions: 10.10.1.1
Reporter: Knut Anders Hatlen
Assignee: Knut Anders Hatlen
DERBY-4191 added checks for minimal select privilege in cases where a SELECT
query didn't access any actual column in the base table, such as SELECT
COUNT(*) FROM USER1.T and SELECT 1 FROM USER1.T. That privilege checking is
only done for top-level SELECT statements. It should also be done for
subqueries.
Examples of queries where Derby does not currently check for minimal select
privileges on the accessed tables (performed as USER2, which has no privileges
on any of USER1's tables):
SELECT * FROM (SELECT COUNT(*) FROM USER1.T) S
SELECT 1 FROM USER1.T UNION SELECT 2 FROM USER1.T
INSERT INTO USER2.T SELECT 1 FROM USER1.T
I believe that the above statements should have failed, but currently they
succeed.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
