[Firebird-devel] [FB-Tracker] Created: (CORE-3224) Operation not allowed when user has only indirect rights

[Ain V. (JIRA) <tr...@fi...>]

Operation not allowed when user has only indirect rights
--------------------------------------------------------

                 Key: CORE-3224
                 URL: http://tracker.firebirdsql.org/browse/CORE-3224
             Project: Firebird Core
          Issue Type: Bug
          Components: Engine, Security
    Affects Versions: 2.5.0
         Environment: WI-V2.5.0.26074 Firebird 2.5 
            Reporter: Ain Valtin


Create these objects as some other user than "test":

CREATE TABLE TAB_Foo ( Fld INTEGER );

CREATE TABLE TAB_Bar ( Fld INTEGER );

SET TERM ^ ;

CREATE PROCEDURE GetBar(ID INTEGER) RETURNS(Bar INTEGER) AS
BEGIN
  SELECT Fld FROM TAB_Bar WHERE(Fld = :ID) INTO :Bar;
  SUSPEND;
END^

CREATE TRIGGER Foo_BI FOR TAB_Foo
ACTIVE BEFORE INSERT POSITION 15
AS
BEGIN
  DELETE FROM TAB_Bar WHERE(Fld = NEW.Fld);
END^

CREATE TRIGGER Bar_BD FOR TAB_Bar
ACTIVE BEFORE DELETE POSITION 15
AS
DECLARE tmp INTEGER;
BEGIN
  SELECT Bar FROM GetBar(OLD.Fld) INTO :tmp;
END^

SET TERM ; ^

GRANT ALL ON TAB_Foo TO test;
GRANT SELECT ON TAB_Bar TO PROCEDURE GetBar;
GRANT DELETE ON TAB_Bar TO TRIGGER Foo_BI;
GRANT EXECUTE ON PROCEDURE GetBar TO TRIGGER Bar_BD;


Then connect as user "test" and execute:

INSERT INTO TAB_Foo(Fld) VALUES(1);

this results in error:
<<
Starting transaction...
Preparing query: INSERT INTO TAB_Foo(Fld) VALUES(1)
Error: *** IBPP::SQLException ***
Context: Statement::Prepare( INSERT INTO TAB_Foo(Fld) VALUES(1) )
Message: isc_dsql_prepare failed

SQL Message : -551
This user does not have privilege to perform this operation on this object.

Engine Code    : 335544352
Engine Message :
no permission for read/select access to TABLE TAB_BAR
>>

User "test" hasn't been granted right to select from TAB_Bar, but the procedure GetBar has that right. BTW using

GRANT EXECUTE ON PROCEDURE GetBar TO PUBLIC;

won't change the error, so it seems to me that there is a bug when checking rights in case of "long indirect call chain".

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira