[
https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799556#action_12799556
]
Mamta A. Satoor commented on DERBY-4191:
----------------------------------------
Thanks again for all your time, Rick. I have committed the patch(revision
898635) with following commit comments
DERBY-4191
Require minimum select privilege from the tables in the SELECT sql if no column
is selected from the table by the user eg
select count(*) from root.t;
select 1 from root.t;
For the query above, Derby was letting the user execute the select even if the
user had no select privilege available on root.t With this fix, Derby will
check if there is atleast one column on which the user has select privilege
available to it or if the user select privilege at the table level. If yes,
only then the user will be able to select from another user's table.
select myTable.a from myTable, admin.privateTable
for the query above, since no column is selected specifically from
admin.privateTable, Derby will now see if there is table level select privilege
or atleast one column level select privilege available on admin.privatTable
One other problem scenario was
update ruth.t_ruth set a = ( select max(c) from ruth.v_ruth );
For the query above, prior to fix for DERBY-4191, we were not looking for
select privilege for the subquery. That has also been fixed with fix for
DERBY-4191
All the existing tests passed with no regression. Added few tests for the fixes
involved in this jira.
> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
> Key: DERBY-4191
> URL: https://issues.apache.org/jira/browse/DERBY-4191
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.4.2.0, 10.5.1.1
> Reporter: Knut Anders Hatlen
> Assignee: Mamta A. Satoor
> Attachments:
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt,
> DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt,
> DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt,
> DERBY4191_countStar_privilege_diff_patch1.txt,
> DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt,
> DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_stat_patch6.txt,
> DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt,
> DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt,
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt,
> DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt,
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt,
> DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a
> SELECT COUNT(*) on that table. Counting a specific column (e.g., SELECT
> COUNT(X)) is prevented.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
