| From: | pgsql-bugs(at)postgresql(dot)org |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | INSERT possible without INSERT-permission |
| Date: | 2000-10-15 19:17:39 |
| Message-ID: | 200010151917.e9FJHdL65249@hub.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Gert Pache (uhx2(at)rz(dot)uni-karlsruhe(dot)de) reports a bug with a severity of 3
The lower the number the more severe it is.
Short Description
INSERT possible without INSERT-permission
Long Description
Although a user without has only UPDATE/DELETE-permissions on a table he can insert into the table.
Version: 7.0.1
Sample Code
-- superuser creates tables tab und grants user pgtester only
-- update-permission
delme=# create table tab ( id int );
CREATE
delme=# revoke all on tab from public;
CHANGE
delme=# grant update on tab to pgtester;
CHANGE
delme=# \dp tab
Access permissions for database "delme"
Relation | Access permissions
----------+--------------------
tab | {"=","pgtester=w"}
-- although not having insert permission, pgtester is able
-- to insert a record
delme=> insert into tab values (1);
INSERT 76448 1
-- SELECTs are forbidden as they should be
delme=> select * from tab;
ERROR: tab: Permission denied.
No file was uploaded with this report
| From | Date | Subject | |
|---|---|---|---|
| Next Message | pgsql-bugs | 2000-10-15 19:36:46 | permission-error in tables with referential integrity |
| Previous Message | Tom Lane | 2000-10-15 16:41:55 | Re: reproducable command sequence to get "mdopen: Couldn't open..." |