| From: | "Heikki Linnakangas" <heikki(at)enterprisedb(dot)com> |
|---|---|
| To: | "Brendan O'Shea" <boshea(at)akamai(dot)com> |
| Cc: | <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants |
| Date: | 2008-08-11 19:19:38 |
| Message-ID: | 48A090CA.8090104@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Brendan O'Shea wrote:
> There appears to be a bug in the way that permissions are determined for
> views that contain "UNION ALL" in their definition.
>
> There is a simple test case to reproduce the bug.
>
> 1) As a superuser create the following objects:
>
> CREATE ROLE test_perm LOGIN PASSWORD 'test_perm';
>
> CREATE OR REPLACE VIEW public.simple_select AS SELECT 1;
> CREATE OR REPLACE VIEW public.union_all AS SELECT 1 UNION ALL SELECT 2;
>
>
> 2) Now log in as the test_perm user and run the following SQL:
>
> select * from public.simple_select;
> select * from public.union_all;
>
> The first SQL statement correctly produces an error, but the second
> statement will return results with no error, it should instead generate a
> permission error.
Hmm, looks like pull_up_subqueries somehow loses the range table entry
referring the original view. It's reproducible on PG version 8.2 and
higher, 8.1 seems to work. I'll dig deeper tomorrow, unless someone else
beats me to it.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2008-08-11 20:07:50 | Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants |
| Previous Message | Richard Evans | 2008-08-11 19:04:31 | Re: BUG #3818: Cross compilation problems |