isc_open_blob2 fails when selecting blob field from view with "no permission for SELECT access to TABLE X" error. [CORE6114] #6363
Comments
Modified by: Andrew Ayre (communicare)Version: 3.0.4 [ 10863 ] description: Error occurs in Firebird 3.0.4 and daily snapshot 3.0.5.33160. Error "no permission for SELECT access to TABLE BLOB_TABLE" When attempting to select BLOB (SubType 1) from VIEW that DOES have has permission to select from BLOB_TABLE. Reproduce as follows: Create a test database containing a single table (BLOB_TABLE), single view (BLOB_VIEW) with grants that allow public to only to the view. --=== Start Script ===-- CREATE VIEW BLOB_VIEW( ALTER TABLE BLOB_TABLE ADD CONSTRAINT PK_BLOB_TABLE PRIMARY KEY (ID); SET TERM ^ ; CREATE OR ALTER TRIGGER BIUD_BLOB_VIEW FOR BLOB_VIEW if (UPDATING) then if (DELETING) then COMMIT^ SET TERM ; ^ GRANT ALL ON BLOB_VIEW TO PUBLIC; --=== End Script ===-- We are moving to Firebird 3 from Firebird 2.5.8. which does NOT have this bug. Tracing the Firebird API calls from IBO we can see the following pattern. isc_attach_database(db: 1) A simpler pattern that produces the same error is below. In the following steps it is assumed that we know the ID of the BLOB to be opened. We have further narrowed the error down as follows: => Error occurs in Firebird 3.0.4 and daily snapshot 3.0.5.33160. Error "no permission for SELECT access to TABLE BLOB_TABLE" When attempting to select BLOB from VIEW that DOES have has permission to select from BLOB_TABLE. Reproduce as follows: Create a test database containing a single table (BLOB_TABLE), single view (BLOB_VIEW) with grants that allow public to only to the view. --=== Start Script ===-- CREATE VIEW BLOB_VIEW( ALTER TABLE BLOB_TABLE ADD CONSTRAINT PK_BLOB_TABLE PRIMARY KEY (ID); SET TERM ^ ; CREATE OR ALTER TRIGGER BIUD_BLOB_VIEW FOR BLOB_VIEW if (UPDATING) then if (DELETING) then COMMIT^ SET TERM ; ^ GRANT ALL ON BLOB_VIEW TO PUBLIC; --=== End Script ===-- We are moving to Firebird 3 from Firebird 2.5.8. which does NOT have this bug. Tracing the Firebird API calls from IBO we can see the following pattern. isc_attach_database(db: 1) A simpler pattern that produces the same error is below. In the following steps it is assumed that we know the ID of the BLOB to be opened. We have further narrowed the error down as follows: |
Modified by: Andrew Ayre (communicare)Attachment: CreateDb.sql [ 13364 ] description: Error occurs in Firebird 3.0.4 and daily snapshot 3.0.5.33160. Error "no permission for SELECT access to TABLE BLOB_TABLE" When attempting to select BLOB from VIEW that DOES have has permission to select from BLOB_TABLE. Reproduce as follows: Create a test database containing a single table (BLOB_TABLE), single view (BLOB_VIEW) with grants that allow public to only to the view. --=== Start Script ===-- CREATE VIEW BLOB_VIEW( ALTER TABLE BLOB_TABLE ADD CONSTRAINT PK_BLOB_TABLE PRIMARY KEY (ID); SET TERM ^ ; CREATE OR ALTER TRIGGER BIUD_BLOB_VIEW FOR BLOB_VIEW if (UPDATING) then if (DELETING) then COMMIT^ SET TERM ; ^ GRANT ALL ON BLOB_VIEW TO PUBLIC; --=== End Script ===-- We are moving to Firebird 3 from Firebird 2.5.8. which does NOT have this bug. Tracing the Firebird API calls from IBO we can see the following pattern. isc_attach_database(db: 1) A simpler pattern that produces the same error is below. In the following steps it is assumed that we know the ID of the BLOB to be opened. We have further narrowed the error down as follows: => Error occurs in Firebird 3.0.4 and daily snapshot 3.0.5.33160. Error "no permission for SELECT access to TABLE BLOB_TABLE" When attempting to select BLOB from VIEW that DOES have has permission to select from BLOB_TABLE. Reproduce as follows: Create a test database containing a single table (BLOB_TABLE), single view (BLOB_VIEW) with grants that allow public to only to the view. --=== Start Script ===-- CREATE VIEW BLOB_VIEW( ALTER TABLE BLOB_TABLE ADD CONSTRAINT PK_BLOB_TABLE PRIMARY KEY (ID); SET TERM ^ ; CREATE OR ALTER TRIGGER BIUD_BLOB_VIEW FOR BLOB_VIEW if (UPDATING) then if (DELETING) then COMMIT^ SET TERM ; ^ GRANT ALL ON BLOB_VIEW TO PUBLIC; INSERT INTO BLOB_TABLE (ID, TEXT_VALUE, BLOB_VALUE) VALUES (1, 'test data', x'414243'); --=== End Script ===-- We are moving to Firebird 3 from Firebird 2.5.8. which does NOT have this bug. Tracing the Firebird API calls from IBO we can see the following pattern. isc_attach_database(db: 1) A simpler pattern that produces the same error is below. In the following steps it is assumed that we know the ID of the BLOB to be opened. We have further narrowed the error down as follows: |
|
Commented by: @AlexPeshkoff In description of an error I see: > Grant all on BLOB_TABLE to VIEW BLOB_VIEW But there is no appropriate grant inyour script, only trigger is granted all rights on the table. |
|
Commented by: @AlexPeshkoff After private talk to Roman Simakov described behavior appears buggy |
Modified by: @AlexPeshkoffassignee: Dmitriy Starodubov [ dmitriy starodubov ] |
Modified by: Sean Leyne (seanleyne)status: Open [ 1 ] => Resolved [ 5 ] resolution: Duplicate [ 3 ] |
|
Commented by: @AlexPeshkoff Sean, I doubt it's duplicate. In 5823 explicit access rights were granted to procedure to select from the table with BLOBs. In this case view is not explicitly granted any rights but it has an _implicit_ grant to select from the tables used in the view. It's a bit another case therefore fix for 5823 is not OK here. |
Modified by: Sean Leyne (seanleyne)status: Resolved [ 5 ] => Reopened [ 4 ] resolution: Duplicate [ 3 ] => |
|
Commented by: Sean Leyne (seanleyne) Alexander, Have re-opened the case, though it reads very similar to the first/original linked ticket, as well as the new linked ticket. |
|
Commented by: @dmitry-starodubov The problem is accessing to the BLOB by ID in another transaction. |
|
Commented by: @AlexPeshkoff Really - I did not notice that it was done in another transaction. In that case that's user's bug which was earlier hidden by missing BLOBs access control. |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Submitted by: Andrew Ayre (communicare)
Assigned to: @dmitry-starodubov
Duplicates CORE5823
Is related to CORE6107
Attachments:
CreateDb.sql
Votes: 1
Error occurs in Firebird 3.0.4 and daily snapshot 3.0.5.33160.
Error "no permission for SELECT access to TABLE BLOB_TABLE"
When attempting to select BLOB from VIEW that DOES have has permission to select from BLOB_TABLE.
Reproduce as follows:
Create a test database containing a single table (BLOB_TABLE), single view (BLOB_VIEW) with grants that allow public to only to the view.
Grant all on BLOB_TABLE to VIEW BLOB_VIEW.
Use SQL the following script to create test database below:
--=== Start Script ===--
CREATE TABLE BLOB_TABLE (
ID INTEGER NOT NULL,
TEXT_VALUE VARCHAR(50),
BLOB_VALUE BLOB SUB_TYPE 1 SEGMENT SIZE 80,
BLOB_BINARY BLOB SUB_TYPE 0 SEGMENT SIZE 80
);
COMMIT;
CREATE VIEW BLOB_VIEW(
ID,
TEXT_VALUE,
BLOB_VALUE,
BLOB_BINARY)
AS
SELECT ID, TEXT_VALUE, BLOB_VALUE, BLOB_BINARY FROM BLOB_TABLE;
COMMIT;
ALTER TABLE BLOB_TABLE ADD CONSTRAINT PK_BLOB_TABLE PRIMARY KEY (ID);
COMMIT;
SET TERM ^ ;
CREATE OR ALTER TRIGGER BIUD_BLOB_VIEW FOR BLOB_VIEW
ACTIVE BEFORE INSERT OR UPDATE OR DELETE POSITION 0
AS
BEGIN
if (INSERTING) then
begin
INSERT INTO BLOB_TABLE(
ID,
TEXT_VALUE,
BLOB_VALUE,
BLOB_BINARY)
values (
http://new.ID,
new.TEXT_VALUE,
new.BLOB_VALUE,
new.BLOB_BINARY);
end
if (UPDATING) then
begin
UPDATE BLOB_TABLE SET
TEXT_VALUE = new.TEXT_VALUE,
BLOB_VALUE = new.BLOB_VALUE,
BLOB_BINARY = new.BLOB_BINARY
WHERE
ID = http://old.ID;
end
if (DELETING) then
delete from BLOB_TABLE
WHERE
ID = http://old.ID;
END^
COMMIT^
SET TERM ; ^
GRANT ALL ON BLOB_VIEW TO PUBLIC;
GRANT ALL ON BLOB_TABLE TO TRIGGER BIUD_BLOB_VIEW;
COMMIT;
INSERT INTO BLOB_TABLE (ID, TEXT_VALUE, BLOB_VALUE) VALUES (1, 'test data', x'414243');
COMMIT;
--=== End Script ===--
We are moving to Firebird 3 from Firebird 2.5.8. which does NOT have this bug.
Our Delphi application uses IBO 4.8.7 to access the Firebird database.
We have also tested using newer version of IBO (Ver 5.9.7) with the same result.
Tracing the Firebird API calls from IBO we can see the following pattern.
isc_attach_database(db: 1)
isc_dsql_allocate_statement(st: 1)
isc_start_multiple(tr: 1)
isc_dsql_prepare(tr: 1, st: 1)
isc_dsql_execute(tr: 1, st: 1)
isc_dsql_fetch(st: 1)
isc_commit_transaction(tr: 1)
isc_start_multiple(tr: 2)
isc_open_blob2(tr: 2, blob:ID)
A simpler pattern that produces the same error is below. In the following steps it is assumed that we know the ID of the BLOB to be opened.
We have further narrowed the error down as follows:
isc_attach_database(db: 1)
isc_start_multiple(tr: 1)
isc_open_blob2(tr: 1, blob:ID)
The text was updated successfully, but these errors were encountered: