You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Dag H. Wanvik (JIRA)" <ji...@apache.org> on 2008/07/02 08:04:45 UTC

[jira] Updated: (DERBY-3743) Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation problem

     [ https://issues.apache.org/jira/browse/DERBY-3743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dag H. Wanvik updated DERBY-3743:
---------------------------------

    Description: 
The docs say that REVOKE EXECUTE ... RESTRICT should 
fail if there is a dependent constraint:

"The RESTRICT clause specifies that the EXECUTE privilege cannot be
 revoked if the specified routine is used in a view, trigger, or
 constraint, and the privilege is being revoked from the owner of the
 view, trigger, or constraint."

 Revoking the privilege will be correctly restricted, but possibly for the wrong reason.


  was:
The docs say that REVOKE EXECUTE ... RESTRICT should 
fail if there is a dependent constraint:

"The RESTRICT clause specifies that the EXECUTE privilege cannot be
 revoked if the specified routine is used in a view, trigger, or
 constraint, and the privilege is being revoked from the owner of the
 view, trigger, or constraint."

In this case the function f_abs is used in a CHECK
constraint. Revoking the privilege, however, is not restricted as
specified. 

Running GrantRevokeDDLTest with the enclosed patch (revoke-bug.diff)
on trunk I see:

1) testGrantRevokeDDL(org.apache.derbyTesting.functionTests.tests.lang.GrantRevokeDDLTest)java.sql.SQLSyntaxErrorException: User 'MAMTA3' does not have execute permission on FUNCTION 'MAMTA1'.'F_ABS'.

which shows that the revoke statement succeeded.

>From inspecting the code, it seems that the dependency is not
registered in storeConstraintDependenciesOnPrivileges, which seems to
only care about REFERENCES privileges for constraints.


     Issue Type: Improvement  (was: Bug)
        Summary: Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation problem   (was: Revoking EXECUTE privilege on a function is not restricted if used in a CHECK constraint)

Changing description to my new understanding.

> Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation problem 
> -----------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3743
>                 URL: https://issues.apache.org/jira/browse/DERBY-3743
>             Project: Derby
>          Issue Type: Improvement
>          Components: Security, SQL
>    Affects Versions: 10.5.0.0
>            Reporter: Dag H. Wanvik
>
> The docs say that REVOKE EXECUTE ... RESTRICT should 
> fail if there is a dependent constraint:
> "The RESTRICT clause specifies that the EXECUTE privilege cannot be
>  revoked if the specified routine is used in a view, trigger, or
>  constraint, and the privilege is being revoked from the owner of the
>  view, trigger, or constraint."
>  Revoking the privilege will be correctly restricted, but possibly for the wrong reason.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.