You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Grant update(c) on t to U01 with grant option: user U01 will not be able to "revoke update(c) on t from <user | role>" if this 'U01' do some DML before revoke [CORE4836]
#5132
On empty user database (alias = 'e30'; FB port = 3333) and new security3.fdb do:
isql localhost/3333:e30 -q
-- and then:
create or alter user john_senior password 'sen' grant admin role;
create role modifier;
recreate table test(id int, text varchar(30));
grant select on test to public;
grant update(text) on test to john_senior with grant option;
commit;
connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen';
grant update (text) on test to modifier; ------------------------------------------------------ [ 0 ]
commit;
connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen'; --------------[ 1 ]
select * from test; --------------------------------------------------------------------------------- [ 2 ]
commit;
revoke update(text) on test from role modifier;
commit;
connect 'localhost/3333:e30' user 'SYSDBA' password 'masterkey';
drop role modifier;
drop user john_senior;
drop table test;
commit;
STDERR:
Statement failed, SQLSTATE = 28000
unsuccessful metadata update
-REVOKE failed
-no permission for CONTROL access to TABLE TEST
-At trigger 'RDB$TRIGGER_8'
Note that:
[ 0 ] -- error will NOT raise is we'll not specify COLUMN in grant statement (i.e. this: "grant update on test to ..." -- works fine)
[ 1 ] -- error WILL raise with or without reconnect
[ 2 ] -- error will NOT raise if comment 'select * from test';
The same result when grant updating of selected column(s) to USER rather than role.
Submitted by: @pavel-zotov
On empty user database (alias = 'e30'; FB port = 3333) and new security3.fdb do:
isql localhost/3333:e30 -q
-- and then:
create or alter user john_senior password 'sen' grant admin role;
create role modifier;
recreate table test(id int, text varchar(30));
grant select on test to public;
grant update(text) on test to john_senior with grant option;
commit;
connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen';
grant update (text) on test to modifier; ------------------------------------------------------ [ 0 ]
commit;
connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen'; --------------[ 1 ]
select * from test; --------------------------------------------------------------------------------- [ 2 ]
commit;
revoke update(text) on test from role modifier;
commit;
connect 'localhost/3333:e30' user 'SYSDBA' password 'masterkey';
drop role modifier;
drop user john_senior;
drop table test;
commit;
STDERR:
Statement failed, SQLSTATE = 28000
unsuccessful metadata update
-REVOKE failed
-no permission for CONTROL access to TABLE TEST
-At trigger 'RDB$TRIGGER_8'
Note that:
[ 0 ] -- error will NOT raise is we'll not specify COLUMN in grant statement (i.e. this: "grant update on test to ..." -- works fine)
[ 1 ] -- error WILL raise with or without reconnect
[ 2 ] -- error will NOT raise if comment 'select * from test';
The same result when grant updating of selected column(s) to USER rather than role.
Commits: 4168cdf FirebirdSQL/fbt-repository@bb7a4f3
The text was updated successfully, but these errors were encountered: