You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Dag H. Wanvik (JIRA)" <ji...@apache.org> on 2008/07/02 08:04:45 UTC
[jira] Updated: (DERBY-3743) Revoking EXECUTE privilege on a
function if used in a CHECK constraint: implementation problem
[ https://issues.apache.org/jira/browse/DERBY-3743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3743:
---------------------------------
Description:
The docs say that REVOKE EXECUTE ... RESTRICT should
fail if there is a dependent constraint:
"The RESTRICT clause specifies that the EXECUTE privilege cannot be
revoked if the specified routine is used in a view, trigger, or
constraint, and the privilege is being revoked from the owner of the
view, trigger, or constraint."
Revoking the privilege will be correctly restricted, but possibly for the wrong reason.
was:
The docs say that REVOKE EXECUTE ... RESTRICT should
fail if there is a dependent constraint:
"The RESTRICT clause specifies that the EXECUTE privilege cannot be
revoked if the specified routine is used in a view, trigger, or
constraint, and the privilege is being revoked from the owner of the
view, trigger, or constraint."
In this case the function f_abs is used in a CHECK
constraint. Revoking the privilege, however, is not restricted as
specified.
Running GrantRevokeDDLTest with the enclosed patch (revoke-bug.diff)
on trunk I see:
1) testGrantRevokeDDL(org.apache.derbyTesting.functionTests.tests.lang.GrantRevokeDDLTest)java.sql.SQLSyntaxErrorException: User 'MAMTA3' does not have execute permission on FUNCTION 'MAMTA1'.'F_ABS'.
which shows that the revoke statement succeeded.
>From inspecting the code, it seems that the dependency is not
registered in storeConstraintDependenciesOnPrivileges, which seems to
only care about REFERENCES privileges for constraints.
Issue Type: Improvement (was: Bug)
Summary: Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation problem (was: Revoking EXECUTE privilege on a function is not restricted if used in a CHECK constraint)
Changing description to my new understanding.
> Revoking EXECUTE privilege on a function if used in a CHECK constraint: implementation problem
> -----------------------------------------------------------------------------------------------
>
> Key: DERBY-3743
> URL: https://issues.apache.org/jira/browse/DERBY-3743
> Project: Derby
> Issue Type: Improvement
> Components: Security, SQL
> Affects Versions: 10.5.0.0
> Reporter: Dag H. Wanvik
>
> The docs say that REVOKE EXECUTE ... RESTRICT should
> fail if there is a dependent constraint:
> "The RESTRICT clause specifies that the EXECUTE privilege cannot be
> revoked if the specified routine is used in a view, trigger, or
> constraint, and the privilege is being revoked from the owner of the
> view, trigger, or constraint."
> Revoking the privilege will be correctly restricted, but possibly for the wrong reason.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.