Re: [HACKERS] something smells bad

Sending this to the Hackers list because I think that there may be a bug.

On Jue 07 Jun 2001 02:27, Alex Pilosov wrote:
> On Wed, 6 Jun 2001, [iso-8859-1] Martín Marqués wrote:
> > OK, now I'm more then astonished!
> > Why was I able to insert as martin then?
> > Isn't it true (as the docs say) that when I execute a query over a view
> > with rules, the rules (querys in the DO of the RULE) are executed with
> > permssions of the owner of the rule (or the view? Any way, martin is
> > owner of both) and not of the user that executed the query?
>
> No. With both views and rules, the actions are executed as the user who
> executed the query. I don't know if there are plans to allow the 'execute
> as owner' for rules, right now this option only exists for the triggers.

Well, after todays tests, I have to say that rules are executed with owner
privileges, and not users.
This is the output:

webunl=> \dp

Access permissions for database "webunl"
Relation | Access permissions
-----------------------------+------------------------------------------------
admin_view | {"=r","martin=arwR","group webunl_admin=arwR"}
admin_view_categ | {"=r","martin=arwR","group webunl_admin=arwR"}
admin_view_docente | {"=r","martin=arwR","group webunl_admin=arwR"}
admin_view_facultades | {"=r","martin=arwR","group webunl_admin=arwR"}
admin_view_materias | {"=r","martin=arwR","group webunl_admin=arwR"}
admin_view_modal | {"=r","martin=arwR","group webunl_admin=arwR"}
area | {"=r","martin=arwR"}
area_id_area_seq |
carrera | {"=r","martin=arwR"}
carrera_id_curso_seq | {"=","martin=arwR"}
categ | {"=r","martin=arwR"}
categ_id_categ_seq |
docentes | {"=r","martin=arwR"}
docentes_id_docente_seq | {"=","martin=arwR"}
facultad | {"=r","martin=arwR"}
facultad_id_fac_seq |
inscripcion | {"=r","martin=arwR"}
log_carrera | {"=","martin=arwR"}
log_carrera_id_log_seq | {"=","martin=arwR"}
materias | {"=r","martin=arwR"}
materias_id_mat_seq | {"=","martin=arwR"}
modalidad | {"=r","martin=arwR"}
nexo_categ | {"=r","martin=arwR"}
nexo_facultad | {"=r","martin=arwR"}
niveles | {"=r","martin=arwR"}
niveles_id_nivel_seq |
resol | {"=r","martin=arwR"}
sub_area | {"=r","martin=arwR"}
sub_area_id_subarea_seq |
tipo_cursado | {"=r","martin=arwR"}
tipo_cursado_id_cursado_seq |
tipo_modal | {"=r","martin=arwR"}
tipo_modal_id_mod_seq |
(33 rows)

webunl=> GRANT ALL ON
carrera_id_curso_seq,docentes_id_docente_seq,log_carrera_id_log_seq,materias_id_mat_seq
TO GROUP webunl_admin;
CHANGE
webunl=> \c webunl mariana
You are now connected to database webunl as user mariana.
webunl=> INSERT INTO admin_view
webunl->
(titulo,subarea,descripcion,matricula,nivel,requisitos,duracion,cupos,numero,year,fecha,fecha_ini,fecha_fin,lugar,informes
,director,carrera)
webunl-> VALUES ('y este el tiutulo',14,'descripcion',0,1,'Y bueno, los
requisitos
son.....',12,0,34534,2000,'6/6/2000','10/10/2001','30/12/2001','Donde
webunl'> mas.......','Para mas info, limpie','Quien, yo?','Esta es una
carrera');
INSERT 240135 1
webunl=>

Now, mariana is a member of the webunl_admin group, and before the GRANT to
all those sequences, the query (INSERT) shes executing here gave an error
when trying to do a carrera_id_curso_seq:next (is this the right sintax?).

Saludos.... :-)

--
Cualquiera administra un NT.
Ese es el problema, que cualquiera administre.
-----------------------------------------------------------------
Martin Marques | mmarques(at)unl(dot)edu(dot)ar
Programador, Administrador | Centro de Telematica
Universidad Nacional
del Litoral
-----------------------------------------------------------------