From: | "Vadim B(dot) Mikheev" <vadim(at)sable(dot)krasnoyarsk(dot)su> |
---|---|
To: | hackers(at)postgresql(dot)org |
Subject: | permission issue |
Date: | 1998-02-27 07:30:08 |
Message-ID: | 34F66B80.F66AE20E@sable.krasnoyarsk.su |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tables INS (x int) and SEL (y int) are owned by dbadm, for another
user SELECT granted on SEL, INSERT - on INS.
Should another user be able to do
insert into ins select y from sel where x = y;
or not ?
Currently, PG allows this. Backend tries to check
(in execMain.c:ExecCheckPerms()) is READ access to
table being changed granted to user or not, but this check
seems to be quite stupid:
qvars = pull_varnos(parseTree->qual);
tvars = pull_varnos((Node *) parseTree->targetList);
if (intMember(resultRelation, qvars) ||
intMember(resultRelation, tvars))
: pull_varnos is very simple and just skips expressions in
qual & target list.
We have to either get rid of this check or change it.
What do you think ?
How "big boys" handle this ?
Vadim
From | Date | Subject | |
---|---|---|---|
Next Message | Maurice Gittens | 1998-02-27 08:57:11 | Howto add a field to each postgresql tuple |
Previous Message | Vadim B. Mikheev | 1998-02-27 07:13:08 | Re: [HACKERS] INT2OID, etc. |