Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grant update(c) on t to U01 with grant option: user U01 will not be able to "revoke update(c) on t from <user | role>" if this 'U01' do some DML before revoke [CORE4836] #5132

Closed
firebird-automations opened this issue Jun 10, 2015 · 5 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @pavel-zotov

On empty user database (alias = 'e30'; FB port = 3333) and new security3.fdb do:

isql localhost/3333:e30 -q

-- and then:

create or alter user john_senior password 'sen' grant admin role;
create role modifier;
recreate table test(id int, text varchar(30));

grant select on test to public;
grant update(text) on test to john_senior with grant option;
commit;

connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen';

grant update (text) on test to modifier; ------------------------------------------------------ [ 0 ]
commit;

connect 'localhost/3333:e30' user 'JOHN_SENIOR' password 'sen'; --------------[ 1 ]
select * from test; --------------------------------------------------------------------------------- [ 2 ]

commit;

revoke update(text) on test from role modifier;
commit;

connect 'localhost/3333:e30' user 'SYSDBA' password 'masterkey';
drop role modifier;
drop user john_senior;
drop table test;
commit;

STDERR:

Statement failed, SQLSTATE = 28000
unsuccessful metadata update
-REVOKE failed
-no permission for CONTROL access to TABLE TEST
-At trigger 'RDB$TRIGGER_8'

Note that:
[ 0 ] -- error will NOT raise is we'll not specify COLUMN in grant statement (i.e. this: "grant update on test to ..." -- works fine)
[ 1 ] -- error WILL raise with or without reconnect
[ 2 ] -- error will NOT raise if comment 'select * from test';

The same result when grant updating of selected column(s) to USER rather than role.

Commits: 4168cdf FirebirdSQL/fbt-repository@bb7a4f3

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Make grantRevoke() always avoid any rights checks except one done by operator itself. This seems the generic way for our DDL.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 RC 1 [ 10584 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Done successfully

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment