Add virtual table SEC$ROLES to return all roles currently active for the connected user [CORE5239] #5518
Comments
Modified by: @dyemanovFix Version: 4.0 Alpha 1 [ 10731 ] |
|
Commented by: @AlexPeshkoff This may be done using WITH RECURSIVE sql query on system tables. Do not want to say that virtual table is not needed at all - but goal can be reached w/o it. |
|
Commented by: @sim1984 Alex, one small question GRANT DEFAULT R1 TO USER IVAN; What value will CURRENT_ROLE after connection? |
|
Commented by: @dyemanov Currently, it's NONE. And I see no better option. |
|
Commented by: @sim1984 Thus in CURRENT_ROLE can only be the role specified when connected or setted using the SET ROLE? However, in some cases, it is useful to know what of the roles a user has privileges to the example above. |
|
Commented by: @dyemanov Alex: select on systables is not ideal, some roles may be granted after the current connection has been established and in fact they won't be active. |
|
Commented by: Bjoern Reimer (bnreimer) > Currently, it's NONE. And I see no better option. Please don't do this. It will break compatibility of older code whenever an admin grants a second role! I'd suggest to let it be the first role a user is granted and add a boolean variable (e.g.) more_roles which should be true when there are other roles to check for. |
|
Commented by: @AlexPeshkoff Bjoern, this does not break anything. CURRENT_ROLE now is displayed when it's selected _explicitly_ by the user when connecting to DB (or using SET ROLE in FB3). Default roles never existed in firebird and therefore could not be displayed. |
|
Commented by: @dyemanov First of all, older code will continue to work as long as it specifies role at connect time. We're speaking about implicit (default) roles here. Second, we don't have a historical info what role was granted first, so "the first role" could be either old one or the newly granted one, unpredictably. So other mechanisms should be used to check for multiple implicit roles. |
|
Commented by: Bjoern Reimer (bnreimer) Ok, I missed that you where talking only about DEFAULT Roles and that the handling of explicait roles will not change: Am I right here: GRANT DEFAULT R1 TO USER IVAN; Ivan loggs in with R SELECT current_user, current_role FROM RDB$DATABASE GRANT DEFAULT R1 TO USER IVAN; Ivan loggs in with R |
|
Commented by: @AlexPeshkoff Yes, you are absolutely right (at least it's designed to be so). |
Modified by: @dyemanovFix Version: 4.0 Beta 1 [ 10750 ] => |
Submitted by: @dyemanov
Votes: 1
After introducing default (and aggregated) roles, CURRENT_ROLE becomes practically useless in such cases. We now have RDB$ROLE_IN_USE(<role name>) to check for a particular role, this replaces the IF (CURRENT_ROLE = <role name>) functionality for the cases with multiple active roles. But it would be also handy to just know (enumerate) all the active roles, hence this ticket.
SEC$ROLES may either return all roles active for the current user, or return all roles granted to the current user with a flag whether every role is currently active or not.
The text was updated successfully, but these errors were encountered: