Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grant update(c) on t to U01 with grant option: user U01 will not be able to "revoke update(c) on t from <user | role>" if this 'U01' do some DML before revoke [CORE4836] #5132

Closed
firebird-issue-importer opened this issue Jun 10, 2015 · 5 comments

Comments

@firebird-issue-importer

Submitted by: @pavel-zotov

On empty user database (alias = 'e30'; FB port = 3333) and new security3.fdb do:

isql localhost/3333:e30 -q

-- and then:

create or alter user john_senior password 'sen' grant admin role;
create role modifier;
recreate table test(id int, text varchar(30));

grant select on test to public;
grant update(text) on test to john_senior with grant option;
commit;

connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen';

grant update (text) on test to modifier; ------------------------------------------------------ [ 0 ]
commit;

connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen'; --------------[ 1 ]
select * from test; --------------------------------------------------------------------------------- [ 2 ]

commit;

revoke update(text) on test from role modifier;
commit;

connect 'localhost/3333:e30' user 'SYSDBA' password 'masterkey';
drop role modifier;
drop user john_senior;
drop table test;
commit;

STDERR:

Statement failed, SQLSTATE = 28000
unsuccessful metadata update
-REVOKE failed
-no permission for CONTROL access to TABLE TEST
-At trigger 'RDB$TRIGGER_8'

Note that:
[ 0 ] -- error will NOT raise is we'll not specify COLUMN in grant statement (i.e. this: "grant update on test to ..." -- works fine)
[ 1 ] -- error WILL raise with or without reconnect
[ 2 ] -- error will NOT raise if comment 'select * from test';

The same result when grant updating of selected column(s) to USER rather than role.

Commits: 4168cdf FirebirdSQL/fbt-repository@bb7a4f3

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jun 10, 2015

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jun 25, 2015

Commented by: @AlexPeshkoff

Make grantRevoke() always avoid any rights checks except one done by operator itself. This seems the generic way for our DDL.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jun 25, 2015

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 RC 1 [ 10584 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jun 30, 2015

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jun 30, 2015

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment