[
https://issues.apache.org/jira/browse/DERBY-6411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13823646#comment-13823646
]
ASF subversion and git services commented on DERBY-6411:
--------------------------------------------------------
Commit 1542258 from [~knutanders] in branch 'code/branches/10.10'
[ https://svn.apache.org/r1542258 ]
DERBY-6411: Minimal select privilege should be checked in subqueries
Merged revision 1541461 from trunk.
> Minimal select privilege should be checked in subqueries
> --------------------------------------------------------
>
> Key: DERBY-6411
> URL: https://issues.apache.org/jira/browse/DERBY-6411
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.10.1.1
> Reporter: Knut Anders Hatlen
> Assignee: Knut Anders Hatlen
> Fix For: 10.10.1.3, 10.11.0.0
>
> Attachments: d6411-1a.diff
>
>
> DERBY-4191 added checks for minimal select privilege in cases where a SELECT
> query didn't access any actual column in the base table, such as SELECT
> COUNT(*) FROM USER1.T and SELECT 1 FROM USER1.T. That privilege checking is
> only done for top-level SELECT statements. It should also be done for
> subqueries.
> Examples of queries where Derby does not currently check for minimal select
> privileges on the accessed tables (performed as USER2, which has no
> privileges on any of USER1's tables):
> SELECT * FROM (SELECT COUNT(*) FROM USER1.T) S
> SELECT 1 FROM USER1.T UNION SELECT 2 FROM USER1.T
> INSERT INTO USER2.T SELECT 1 FROM USER1.T
> I believe that the above statements should have failed, but currently they
> succeed.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
