[
https://issues.apache.org/jira/browse/DERBY-6411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Knut Anders Hatlen updated DERBY-6411:
--------------------------------------
Issue & fix info: Patch Available
> Minimal select privilege should be checked in subqueries
> --------------------------------------------------------
>
> Key: DERBY-6411
> URL: https://issues.apache.org/jira/browse/DERBY-6411
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.10.1.1
> Reporter: Knut Anders Hatlen
> Assignee: Knut Anders Hatlen
> Attachments: d6411-1a.diff
>
>
> DERBY-4191 added checks for minimal select privilege in cases where a SELECT
> query didn't access any actual column in the base table, such as SELECT
> COUNT(*) FROM USER1.T and SELECT 1 FROM USER1.T. That privilege checking is
> only done for top-level SELECT statements. It should also be done for
> subqueries.
> Examples of queries where Derby does not currently check for minimal select
> privileges on the accessed tables (performed as USER2, which has no
> privileges on any of USER1's tables):
> SELECT * FROM (SELECT COUNT(*) FROM USER1.T) S
> SELECT 1 FROM USER1.T UNION SELECT 2 FROM USER1.T
> INSERT INTO USER2.T SELECT 1 FROM USER1.T
> I believe that the above statements should have failed, but currently they
> succeed.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
