You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The engine executing GRANT from a stored procedure with SQL SECURITY DEFINER runned from another user with EXECUTE privilege raises the error "User cannot write to RDB$USER_PRIVILEGES"
CREATE PROCEDURE P SQL SECURITY DEFINER
AS
begin
execute statement 'grant alter any generator to "u3"';
end ^
SET TERM ; ^
GRANT EXECUTE ON PROCEDURE P TO USER US;
and then in a connection from another user run:
roman@roman-ubuntu % ./isql localhost:/tmp/1.fdb -U us -P pas
Database: localhost:/tmp/1.fdb, User: US
SQL> execute procedure p;
Statement failed, SQLSTATE = 27000
unsuccessful metadata update
-GRANT failed
-action cancelled by trigger (0) to preserve data integrity
-User cannot write to RDB$USER_PRIVILEGES
-At procedure 'P' line: 4, col: 3
In this case GRANTOR is equal to the OWNER of the PROCEDURE but CURRENT_USER is different. There's nothing wrong here. But system trigger for RDB$USER_PRIVILEGES checks if GRANT=CURRENT_USER but not effective one.
I'm sure it's possible to fix the trigger. However is it really needed? It's prohibited to modity system tables directly but DdlNodes have theirown checks.
Submitted by: @romansimakov
The engine executing GRANT from a stored procedure with SQL SECURITY DEFINER runned from another user with EXECUTE privilege raises the error "User cannot write to RDB$USER_PRIVILEGES"
Commits: 3b1e8c8
The text was updated successfully, but these errors were encountered: