[
https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mamta A. Satoor updated DERBY-4191:
-----------------------------------
Attachment:
DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_stat_patch6.txt
DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt
Attaching another patch,
DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt. I have made
couple changes in this patch compared to the previous Both the patches require
that user had minimum select privileges on all the tables in the select list.
But the earlier patch made that check in SelectNode whereas this patch makes
that check in CursorNode. The reason for this is for a simple DMLlike
following, delete from ruth.t_ruth, a SelectNode is generated. But that
SelectNode is to generate the resultset needed for delete. From my research, I
believe CursorNode is the correct node where the minimum select privilege
requirement should go. I have added test cases mentioned by Rick for the
earlier patch and those test cases along with all the existing tests run with
no problem with this patch. Another change in this patch compared to earlier
one is the select privilege requirement for subquery now happens around the
entire bind time code in SubqueryNode rather than just aroiund
resultSet.bindExpressions. Would appreciate if someone can review this patch
for me to see if they see any problems with it.
> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
> Key: DERBY-4191
> URL: https://issues.apache.org/jira/browse/DERBY-4191
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.4.2.0, 10.5.1.1
> Reporter: Knut Anders Hatlen
> Assignee: Mamta A. Satoor
> Attachments:
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt,
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt,
> DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt,
> DERBY4191_countStar_privilege_diff_patch1.txt,
> DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt,
> DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_stat_patch6.txt,
> DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt,
> DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt,
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt,
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt,
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt,
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a
> SELECT COUNT(*) on that table. Counting a specific column (e.g., SELECT
> COUNT(X)) is prevented.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
