You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Mamta A. Satoor (JIRA)" <ji...@apache.org> on 2010/01/07 01:56:54 UTC
[jira] Updated: (DERBY-4191) Lack of SELECT privilege does not
prevent SELECT COUNT(*)
[ https://issues.apache.org/jira/browse/DERBY-4191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mamta A. Satoor updated DERBY-4191:
-----------------------------------
Attachment: DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_stat_patch6.txt
DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt
Attaching another patch, DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt. I have made couple changes in this patch compared to the previous Both the patches require that user had minimum select privileges on all the tables in the select list. But the earlier patch made that check in SelectNode whereas this patch makes that check in CursorNode. The reason for this is for a simple DMLlike following, delete from ruth.t_ruth, a SelectNode is generated. But that SelectNode is to generate the resultset needed for delete. From my research, I believe CursorNode is the correct node where the minimum select privilege requirement should go. I have added test cases mentioned by Rick for the earlier patch and those test cases along with all the existing tests run with no problem with this patch. Another change in this patch compared to earlier one is the select privilege requirement for subquery now happens around the entire bind time code in SubqueryNode rather than just aroiund resultSet.bindExpressions. Would appreciate if someone can review this patch for me to see if they see any problems with it.
> Lack of SELECT privilege does not prevent SELECT COUNT(*)
> ---------------------------------------------------------
>
> Key: DERBY-4191
> URL: https://issues.apache.org/jira/browse/DERBY-4191
> Project: Derby
> Issue Type: Bug
> Components: SQL
> Affects Versions: 10.4.2.0, 10.5.1.1
> Reporter: Knut Anders Hatlen
> Assignee: Mamta A. Satoor
> Attachments: DERBY4191_ColumnLevelCheckInStatmentColumnPerm_diff_patch2.txt, DERBY4191_ColumnLevelCheckInStatmentColumnPerm_stat_patch2.txt, DERBY4191_ColumnLevelCheckInStatmentTablePerm_diff_patch1.txt, DERBY4191_countStar_privilege_diff_patch1.txt, DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_diff_patch6.txt, DERBY4191_miniumSelectPriv_CursorNode_And_Subquery_stat_patch6.txt, DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_diff_patch5.txt, DERBY4191_miniumSelectPrivOnAllTables_And_Subquery_stat_patch5.txt, DERBY4191_miniumSelectPrivOnAllTables_diff_patch3.txt, DERBY4191_miniumSelectPrivOnAllTables_diff_patch4.txt, DERBY4191_miniumSelectPrivOnAllTables_stat_patch3.txt, DERBY4191_miniumSelectPrivOnAllTables_stat_patch4.txt, repro.sql
>
>
> A user that does not have SELECT privilege on a table can still perform a SELECT COUNT(*) on that table. Counting a specific column (e.g., SELECT COUNT(X)) is prevented.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.