| From: | "Brendan O'Shea" <boshea(at)akamai(dot)com> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | BUG #4350: 'select' acess given to views containing "union all" even though user has no grants |
| Date: | 2008-08-11 16:37:20 |
| Message-ID: | 200808111637.m7BGbKZj059864@wwwmaster.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged online:
Bug reference: 4350
Logged by: Brendan O'Shea
Email address: boshea(at)akamai(dot)com
PostgreSQL version: 8.2.9
Operating system: linux-2.4 and windows XP
Description: 'select' acess given to views containing "union all"
even though user has no grants
Details:
There appears to be a bug in the way that permissions are determined for
views that contain "UNION ALL" in their definition.
There is a simple test case to reproduce the bug.
1) As a superuser create the following objects:
CREATE ROLE test_perm LOGIN PASSWORD 'test_perm';
CREATE OR REPLACE VIEW public.simple_select AS SELECT 1;
CREATE OR REPLACE VIEW public.union_all AS SELECT 1 UNION ALL SELECT 2;
2) Now log in as the test_perm user and run the following SQL:
select * from public.simple_select;
select * from public.union_all;
The first SQL statement correctly produces an error, but the second
statement will return results with no error, it should instead generate a
permission error.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richard Evans | 2008-08-11 19:04:31 | Re: BUG #3818: Cross compilation problems |
| Previous Message | Peter Eisentraut | 2008-08-11 10:44:13 | Re: BUG #3818: Cross compilation problems |