You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by rh...@apache.org on 2006/08/24 17:58:29 UTC
svn commit: r434408 - in /db/derby/code/trunk/java:
engine/org/apache/derby/impl/sql/execute/ engine/org/apache/derby/loc/
shared/org/apache/derby/shared/common/reference/
testing/org/apache/derbyTesting/functionTests/master/
testing/org/apache/derbyTe...
Author: rhillegas
Date: Thu Aug 24 08:58:27 2006
New Revision: 434408
URL: http://svn.apache.org/viewvc?rev=434408&view=rev
Log:
DERBY-1582: Commit Deepa's d1582_v2.diff patch, raising a warning for vacuous REVOKEs.
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/PrivilegeInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java
db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties
db/derby/code/trunk/java/shared/org/apache/derby/shared/common/reference/SQLState.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL.out
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL.sql
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/PrivilegeInfo.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/PrivilegeInfo.java?rev=434408&r1=434407&r2=434408&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/PrivilegeInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/PrivilegeInfo.java Thu Aug 24 08:58:27 2006
@@ -76,4 +76,24 @@
sd.getSchemaName(),
objectDescriptor.getDescriptorName());
}
+
+ /**
+ * This method adds a warning if a revoke statement has not revoked
+ * any privileges from a grantee.
+ *
+ * @param activation
+ * @param grant true if grant, false if revoke
+ * @param privileges_revoked true, if at least one privilege has been
+ * revoked from a grantee, false otherwise
+ * @param grantee authorization id of the user
+ */
+ protected void addWarningIfPrivilegeNotRevoked( Activation activation,
+ boolean grant,
+ boolean privileges_revoked,
+ String grantee)
+ {
+ if(!grant && !privileges_revoked)
+ activation.addWarning(StandardException.newWarning
+ (SQLState.LANG_PRIVILEGE_NOT_REVOKED, grantee));
+ }
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java?rev=434408&r1=434407&r2=434408&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/RoutinePrivilegeInfo.java Thu Aug 24 08:58:27 2006
@@ -78,13 +78,21 @@
dd.startWriting(lcc);
for( Iterator itr = grantees.iterator(); itr.hasNext();)
{
+ // Keep track to see if any privileges are revoked by a revoke
+ // statement. If a privilege is not revoked, we need to raise a
+ // warning.
+ boolean privileges_revoked = false;
String grantee = (String) itr.next();
- if (dd.addRemovePermissionsDescriptor( grant, routinePermsDesc, grantee, tc))
+ if (dd.addRemovePermissionsDescriptor( grant, routinePermsDesc, grantee, tc))
+ {
+ privileges_revoked = true;
//Derby currently supports only restrict form of revoke execute
//privilege and that is why, we are sending invalidation action
//as REVOKE_PRIVILEGE_RESTRICT rather than REVOKE_PRIVILEGE
dd.getDependencyManager().invalidateFor(routinePermsDesc, DependencyManager.REVOKE_PRIVILEGE_RESTRICT, lcc);
-
+ }
+
+ addWarningIfPrivilegeNotRevoked(activation, grant, privileges_revoked, grantee);
}
} // end of executeConstantAction
}
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java?rev=434408&r1=434407&r2=434408&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/execute/TablePrivilegeInfo.java Thu Aug 24 08:58:27 2006
@@ -128,22 +128,38 @@
// Add or remove the privileges to/from the SYS.SYSTABLEPERMS and SYS.SYSCOLPERMS tables
for( Iterator itr = grantees.iterator(); itr.hasNext();)
{
+ // Keep track to see if any privileges are revoked by a revoke
+ // statement. If a privilege is not revoked, we need to raise a
+ // warning. For table privileges, we do not check if privilege for
+ // a specific action has been revoked or not. Also, we do not check
+ // privileges for specific columns. If at least one privilege has
+ // been revoked, we do not raise a warning. This has to be refined
+ // further to check for specific actions/columns and raise warning
+ // if any privilege has not been revoked.
+ boolean privileges_revoked = false;
+
String grantee = (String) itr.next();
if( tablePermsDesc != null)
{
if (dd.addRemovePermissionsDescriptor( grant, tablePermsDesc, grantee, tc))
{
- dd.getDependencyManager().invalidateFor(tablePermsDesc, DependencyManager.REVOKE_PRIVILEGE, lcc);
+ privileges_revoked = true;
+ dd.getDependencyManager().invalidateFor(tablePermsDesc, DependencyManager.REVOKE_PRIVILEGE, lcc);
}
}
for( int i = 0; i < columnBitSets.length; i++)
{
if( colPermsDescs[i] != null)
{
- if (dd.addRemovePermissionsDescriptor( grant, colPermsDescs[i], grantee, tc))
- dd.getDependencyManager().invalidateFor(colPermsDescs[i], DependencyManager.REVOKE_PRIVILEGE, lcc);
+ if (dd.addRemovePermissionsDescriptor( grant, colPermsDescs[i], grantee, tc))
+ {
+ privileges_revoked = true;
+ dd.getDependencyManager().invalidateFor(colPermsDescs[i], DependencyManager.REVOKE_PRIVILEGE, lcc);
+ }
}
}
+
+ addWarningIfPrivilegeNotRevoked(activation, grant, privileges_revoked, grantee);
}
} // end of executeConstantAction
Modified: db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties?rev=434408&r1=434407&r2=434408&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/loc/messages_en.properties Thu Aug 24 08:58:27 2006
@@ -428,6 +428,7 @@
01522=The newly defined synonym ''{0}'' resolved to the object ''{1}'' which is currently undefined.
01001=An attempt to update or delete an already deleted row was made: No row was updated or deleted.
01003=Null values were eliminated from the argument of a column function.
+01006=Privilege not revoked from {0}.
0100E=XX Attempt to return too many result sets.
02000=No row was found for FETCH, UPDATE or DELETE; or the result of a query is an empty table.
# Next one is generic XQuery error per SQL/XML[2006]
Modified: db/derby/code/trunk/java/shared/org/apache/derby/shared/common/reference/SQLState.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/shared/org/apache/derby/shared/common/reference/SQLState.java?rev=434408&r1=434407&r2=434408&view=diff
==============================================================================
--- db/derby/code/trunk/java/shared/org/apache/derby/shared/common/reference/SQLState.java (original)
+++ db/derby/code/trunk/java/shared/org/apache/derby/shared/common/reference/SQLState.java Thu Aug 24 08:58:27 2006
@@ -638,7 +638,8 @@
String LANG_VALUE_TRUNCATED = "01505";
String LANG_SYNONYM_UNDEFINED = "01522";
String LANG_NULL_ELIMINATED_IN_SET_FUNCTION = "01003";
-
+ String LANG_PRIVILEGE_NOT_REVOKED = "01006";
+
String LANG_NO_ROW_FOUND = "02000";
String LANG_TOO_MANY_DYNAMIC_RESULTS_RETURNED = "0100E";
@@ -1598,7 +1599,7 @@
String UNABLE_TO_OBTAIN_MESSAGE_TEXT_FROM_SERVER = "01J12";
String NUMBER_OF_ROWS_TOO_LARGE_FOR_INT = "01J13";
String SQL_AUTHORIZATION_WITH_NO_AUTHENTICATION = "01J14";
-
+
String CURSOR_OPERATION_CONFLICT = "01001";
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL.out
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL.out?rev=434408&r1=434407&r2=434408&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL.out (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/master/grantRevokeDDL.out Thu Aug 24 08:58:27 2006
@@ -37,11 +37,24 @@
ij(BARCONNECTION)> revoke delete on satheesh.tsat from foo;
ERROR: Failed with SQLSTATE 2850C
ij(BARCONNECTION)> set connection satConnection;
-ij(SATCONNECTION)> -- Revoke permissions not granted already
+ij(SATCONNECTION)> -- Revoke table permissions not granted already. This should raise warnings.
revoke trigger on satheesh.tsat from foo;
0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from FOO.
ij(SATCONNECTION)> revoke references on satheesh.tsat from foo;
0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from FOO.
+ij(SATCONNECTION)> -- This should raise warnings for bar
+revoke insert on satheesh.tsat from foo, bar;
+0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from BAR.
+ij(SATCONNECTION)> -- This should raise warnings for both foo and bar
+revoke insert on satheesh.tsat from foo, bar;
+0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from FOO.
+WARNING 01006: Privilege not revoked from BAR.
+ij(SATCONNECTION)> grant insert on satheesh.tsat to foo;
+0 rows inserted/updated/deleted
ij(SATCONNECTION)> -- Following revokes should revoke permissions
revoke update on satheesh.tsat from foo;
0 rows inserted/updated/deleted
@@ -71,6 +84,10 @@
EXTERNAL NAME 'java.lang.Math.abs'
LANGUAGE JAVA PARAMETER STYLE JAVA;
0 rows inserted/updated/deleted
+ij(SATCONNECTION)> -- Revoke routine permission not granted already. This should raise a warning.
+revoke execute on function F_ABS(int) from bar RESTRICT;
+0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from BAR.
ij(SATCONNECTION)> grant execute on function F_ABS to foo;
0 rows inserted/updated/deleted
ij(SATCONNECTION)> grant execute on function F_ABS(int) to bar;
@@ -395,8 +412,10 @@
0 rows inserted/updated/deleted
ij(SWIPERCONNECTION)> revoke select on swiperTab from satheesh;
0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from SATHEESH.
ij(SWIPERCONNECTION)> revoke insert on swiperTab from satheesh;
0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from SATHEESH.
ij(SWIPERCONNECTION)> set connection satConnection;
ij(SATCONNECTION)> -- Should still work, as satheesh is DBA
select * from swiper.swiperTab;
@@ -416,6 +435,7 @@
0 rows inserted/updated/deleted
ij(SATCONNECTION)> revoke insert on swiper.swiperTab from satheesh;
0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from SATHEESH.
ij(SATCONNECTION)> -- Test system routines. Some don't need explicit grant and others do
-- allowing for only DBA use by default
set connection satConnection;
@@ -553,6 +573,7 @@
ij(MAMTA4)> set connection mamta1;
ij(MAMTA1)> revoke all privileges on t11 from PUBLIC;
0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from PUBLIC.
ij(MAMTA1)> select * from mamta1.t11;
C111
-----------
@@ -609,6 +630,7 @@
1 row selected
ij(MAMTA1)> revoke select on t11 from mamta2, mamta3, mamta4;
0 rows inserted/updated/deleted
+WARNING 01006: Privilege not revoked from MAMTA4.
ij(MAMTA1)> revoke update(c111, c112) on t11 from mamta2, mamta3, mamta4;
0 rows inserted/updated/deleted
ij(MAMTA1)> drop table t11;
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL.sql
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL.sql?rev=434408&r1=434407&r2=434408&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL.sql (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/grantRevokeDDL.sql Thu Aug 24 08:58:27 2006
@@ -23,9 +23,14 @@
set connection satConnection;
--- Revoke permissions not granted already
+-- Revoke table permissions not granted already. This should raise warnings.
revoke trigger on satheesh.tsat from foo;
revoke references on satheesh.tsat from foo;
+-- This should raise warnings for bar
+revoke insert on satheesh.tsat from foo, bar;
+-- This should raise warnings for both foo and bar
+revoke insert on satheesh.tsat from foo, bar;
+grant insert on satheesh.tsat to foo;
-- Following revokes should revoke permissions
revoke update on satheesh.tsat from foo;
@@ -48,6 +53,9 @@
RETURNS NULL ON NULL INPUT
EXTERNAL NAME 'java.lang.Math.abs'
LANGUAGE JAVA PARAMETER STYLE JAVA;
+
+-- Revoke routine permission not granted already. This should raise a warning.
+revoke execute on function F_ABS(int) from bar RESTRICT;
grant execute on function F_ABS to foo;
grant execute on function F_ABS(int) to bar;