Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GRANT SELECT priveleges not set in SQL FUNCTIONs #3230

Closed
monetdb-team opened this issue Nov 30, 2020 · 0 comments
Closed

GRANT SELECT priveleges not set in SQL FUNCTIONs #3230

monetdb-team opened this issue Nov 30, 2020 · 0 comments

Comments

@monetdb-team
Copy link

@monetdb-team monetdb-team commented Nov 30, 2020

Date: 2013-02-09 17:26:57 +0100
From: @bartscheers
To: SQL devs <>
Version: 11.15.1 (Feb2013)
CC: @njnes

Last updated: 2013-03-07 12:41:23 +0100

Comment 18456

Date: 2013-02-09 17:26:57 +0100
From: @bartscheers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:16.0) Gecko/20100101 Firefox/16.0
Build Identifier:

A user having only select privileges on a table is allowed to do so when a sql function performs the insert into the table.

Reproducible: Always

Steps to Reproduce:

  1. ./setup.sh
  2. mclient -dgrantupd < setup.sql
  3. mclient -dgrantupd -ubart < insertbug.sql
  4. mclient -dgrantupd -ubart < updatebug.sql
  5. mclient -dgrantupd -ubart < deletebug.sql

Actual Results:

row inserted, updated, deleted

Expected Results:

A insufficient privileges message for all cases, and no execution of function

Comment 18457

Date: 2013-02-09 17:32:58 +0100
From: @bartscheers

Created attachment 178
contains the necessary test files

Attached file: grantfunctionbug.tar (text/plain, 10240 bytes)
Description: contains the necessary test files

Comment 18471

Date: 2013-02-13 16:00:33 +0100
From: @njnes

Changeset fffd420f1ee8 made by Niels Nes niels@cwi.nl in the MonetDB repo, refers to this bug.

For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=fffd420f1ee8

Changeset description:

fixes and test added for bug #3230

Comment 18472

Date: 2013-02-13 16:02:55 +0100
From: @njnes

fixed. We now check user rights also in recursive sql.
This means tables under views are checked for user rights properly (we don't support materialized views)

Comment 18592

Date: 2013-03-07 12:41:23 +0100
From: @sjoerdmullender

Feb2013-SP1 has been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant