[
https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12789577#action_12789577
]
Mamta A. Satoor commented on DERBY-4191:
----------------------------------------
While trying so more test cases, I found another test case for update that does
not collect select privilege requirement.
java -Dderby.database.sqlAuthorization=true -Dij.exceptionTrace=true
org.apache.derby.tools.ij
connect 'jdbc:derby:c:/dellater/db1;user=dbo;create=true' as dbo;
create table t( a int, b int );
grant update on t to public;
connect 'jdbc:derby:c:/dellater/db1;user=user2' as user2;
-- with my last patch(DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt),
following now will give an error
update dbo.t set a = ( select max(a) + 2 from dbo.t );
--grant select privilege on dbo.t(a) to user2
set connection dbo;
grant select(a) on t to user2;
set connection user2;
-- now the following will succeed
update dbo.t set a = ( select max(a) + 2 from dbo.t );
--BUT FOLLOWING SHOULD NOT SUCCEED because there is no select privilege on
column b
update dbo.t set a = ( select max(b) + 2 from dbo.t );
So, it appears that we are not collecting individual select privilege for a
subquery hidden inside update. I will look further into it. Wonder if there are
other cases where we are missing on collecting the select privileges. I tried
the test case about without my changes on a different trunk client(that client
has some other changes but they are not related to privilege collection) and
the buggy behavior can be seen there, too. I just wanted to be sure that my
changes for this jira didn't cause any regression.
> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
> Key: DERBY-4191
> URL: https://issues.apache.org/jira/browse/DERBY-4191
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.4.2.0, 10.5.1.1
> Reporter: Knut Anders Hatlen
> Assignee: Mamta A. Satoor
> Attachments:
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt,
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt,
> DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt,
> DERBY4191_countStar_privilege_diff_patch1.txt,
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt,
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt,
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt,
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a
> SELECT COUNT(*) on that table. Counting a specific column (e.g., SELECT
> COUNT(X)) is prevented.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
