Revoking EXECUTE privilege on a function is not restricted if used in a CHECK
constraint
----------------------------------------------------------------------------------------
Key: DERBY-3743
URL: https://issues.apache.org/jira/browse/DERBY-3743
Project: Derby
Issue Type: Bug
Components: Security, SQL
Affects Versions: 10.5.0.0
Reporter: Dag H. Wanvik
The docs say that REVOKE EXECUTE ... RESTRICT should
fail if there is a dependent constraint:
"The RESTRICT clause specifies that the EXECUTE privilege cannot be
revoked if the specified routine is used in a view, trigger, or
constraint, and the privilege is being revoked from the owner of the
view, trigger, or constraint."
In this case the function f_abs is used in a CHECK
constraint. Revoking the privilege, however, is not restricted as
specified.
Running GrantRevokeDDLTest with the enclosed patch (revoke-bug.diff)
on trunk I see:
1)
testGrantRevokeDDL(org.apache.derbyTesting.functionTests.tests.lang.GrantRevokeDDLTest)java.sql.SQLSyntaxErrorException:
User 'MAMTA3' does not have execute permission on FUNCTION 'MAMTA1'.'F_ABS'.
which shows that the revoke statement succeeded.
>From inspecting the code, it seems that the dependency is not
registered in storeConstraintDependenciesOnPrivileges, which seems to
only care about REFERENCES privileges for constraints.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
