[jira] Updated: (DERBY-4191) Lack of SELECT privilege does not prevent SELECT COUNT(*)

Wed, 16 Dec 2009 09:18:41 -0800 

     [ 
https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mamta A. Satoor updated DERBY-4191:
-----------------------------------

    Attachment: 
DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt
                
DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt

I have another patch, 
DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt. The 
difference in this patch compared to earlier patches is it now collects the 
select privilege requirement for a subquery involved in a DML. eg of subquery 
are as follows
update dbo.t set a = ( select max(a1) + 2 from dbo.t1 )
update dbo.t set a = ( select max(b1) + 2 from dbo.t2 )
For the queries above, we were not collecting any select privileges for the 
subquery. Instead we were requiring update privileges on columns inside the 
subquery. I have made changes in SubqueryNode to require the select privileges 
for the query it is working with. I have added tests for this subquery change 
in this patch. 

In addition to the above changes, I have added tests for testing privileges 
available through roles. These tests were missing from earlier patch for a 
query like 
select c1 from user1.t1, user1.t2

Please review the patch and let me know of any issues you may see with it.


> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
>                 Key: DERBY-4191
>                 URL: https://issues.apache.org/jira/browse/DERBY-4191
>             Project: Derby
>          Issue Type: Bug
>          Components: SQL
>    Affects Versions: 10.4.2.0, 10.5.1.1
>            Reporter: Knut Anders Hatlen
>            Assignee: Mamta A. Satoor
>         Attachments: 
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt, 
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt, 
> DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt, 
> DERBY4191_countStar_privilege_diff_patch1.txt, 
> DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt, 
> DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt, 
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt, 
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt, 
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt, 
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a 
> SELECT COUNT(*) on that table. Counting a specific column (e.g., SELECT 
> COUNT(X)) is prevented.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to