Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation
Without it, it obviously fail. Because the "limited" user does not have permissions. That's what I'm trying go around thru the permissions of calling object. -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ On Thu, Apr 21, 2022, at 14:57, Alex Peshkoff via Firebird-devel wrote: > On 21.04.2022 13:38, Jiří Činčura wrote: > >> I guess the "caller privileges" is propagated only into >> `pkg_test_limited.test` when calling, but not further into `t_test`. Can I >> somewhat make it work/propagate? Or did I misunderstood the feature? >> > > "with caller privileges" was designed to make privileges, granted to > calling object, be used when processing dynamic SQL statement. SO first > of all I suggest to perform all this chain of calls w/o execute > statement and see does it make any difference. > > > > > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] WITH CALLER PRIVILEGES propagation
On 21.04.2022 13:38, Jiří Činčura wrote: I guess the "caller privileges" is propagated only into `pkg_test_limited.test` when calling, but not further into `t_test`. Can I somewhat make it work/propagate? Or did I misunderstood the feature? "with caller privileges" was designed to make privileges, granted to calling object, be used when processing dynamic SQL statement. SO first of all I suggest to perform all this chain of calls w/o execute statement and see does it make any difference. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] WITH CALLER PRIVILEGES propagation
Hi, Can propagate the privileges down into the call stack when using WITH CALLER PRIVILEGES? For example: CREATE TABLE T_TEST (ID INTEGER NOT NULL, CONSTRAINT PK_TEST PRIMARY KEY (ID)); /* Package header: PKG_TEST, Owner: SYSDBA */ CREATE PACKAGE PKG_TEST AS begin procedure test returns (i int); end^ /* Package header: PKG_TEST_LIMITED, Owner: SYSDBA */ CREATE PACKAGE PKG_TEST_LIMITED AS begin procedure test returns (i int); end^ /* Package body: PKG_TEST, Owner: SYSDBA */ CREATE PACKAGE BODY PKG_TEST AS begin procedure test returns (i int) as begin for select id from t_test into :i do begin suspend; end end end^ /* Package body: PKG_TEST_LIMITED, Owner: SYSDBA */ CREATE PACKAGE BODY PKG_TEST_LIMITED AS begin procedure test returns (i int) as begin for execute statement 'select i from pkg_test.test' with caller privileges into :i do begin suspend; end end end^ /* Grant permissions for this database */ GRANT SELECT ON T_TEST TO PACKAGE PKG_TEST_LIMITED; GRANT EXECUTE ON PACKAGE PKG_TEST_LIMITED TO USER LIMITED; Now if I do, under LIMITED user, `select * from pkg_test_limited.test;` is will end up with `no permission for SELECT access to TABLE T_TEST`. But if I change the execute statement into `for execute statement 'select id t_test' with caller privileges into :i do` everything is fine. I guess the "caller privileges" is propagated only into `pkg_test_limited.test` when calling, but not further into `t_test`. Can I somewhat make it work/propagate? Or did I misunderstood the feature? -- Mgr. Jiří Činčura https://www.tabsoverspaces.com/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel