Issue Details (XML | Word | Printable)

Key: CORE-5827
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: Unassigned
Reporter: Pavel Zotov
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
Firebird Core

ALTER CURRENT USER fails with "no permission for <...> TABLE PLG$SRP" if current user: 1) has NO admin role and 2) wants to modify his own TAGS list

Created: 16/May/18 05:25 AM   Updated: 16/May/18 06:53 AM
Component/s: Engine, Security
Affects Version/s: 4.0 Alpha 1, 3.0.3
Fix Version/s: None

QA Status: Done with caveats
Test Details:
::: NB :::
    Code of this test must to be changed after ticket will be fixed!
    See line with 'grant admin role' -- it must me COMMENTED.
    Also, min_version should be set to 3.0.x rather than 4.0.0

    Currently we check only ability to change TAGS list using 'ALTER CURRENT USER' statement.
    See also test for CORE-3365, but it checks only 'old' attributes which existed before FB 3.0.


 Description  « Hide
connect 'localhost:employee' user SYSDBA password 'masterkey';

create user tmp$c3365
    password 'UseSrp'
    firstname 'Mary'
--grant admin role ----------------------- NB: no error will be raised if we UNCOMMENT this line
using plugin Srp
    tags (
         key1 = 'val111'
        ,key2 = 'val222'
        ,key3 = 'val333'
    )
;
commit;

connect 'localhost:employee' user tmp$c3365 password 'UseSrp';

select current_user as who_am_i from rdb$database;

-- OUTPUT will be: WHO_AM_I TMP$C3365

commit;

--- passed w/o error:
alter current user
    set password 'FooSrp' firstname 'Scott' lastname 'Tiger'
    using plugin Srp
;
commit;

-- DOES raise error if current user has no admin role:
alter current user
    using plugin Srp
    tags (
         Foo = 'Bar'
        ,key1 = 'val11'
        ,Rio = '1565'
        ,drop key3
        ,drop key2
    )
;
Statement failed, SQLSTATE = 28000
modify record error
-no permission for SELECT access to TABLE PLG$SRP

If user has to be granted with ADMIN role to be able to modify his own TAGS list then this should be noted in documentation.
But it seems to me that user must have ability to change ALL his attributes (except active/inactive state), including TAGS list.



 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Pavel Zotov added a comment - 16/May/18 05:48 AM
PS.

WI-V3.0.4.32972 -- use of 'grant admin role' does not help, error in any case.
It is behaviour of WI-T4.0.0.977 when 'grant admin role' allows to change current user his own TAGS list .