Server does not check privileges on VIEWS !!! [CORE2569]

[firebird-automations]

Submitted by: eXandr (i.reg)

1. create new database (login as user TEST1); 2. create table t1(id integer); 3. create view vw_t1 as select * from t1; 4. grant select on view vw_t1 to public; 5. login to database as user TEST2(non RDB$ADMIN); 6. select * from vw_t1 - > succesfully!

o_O ???

[firebird-automations]

Modified by: @dyemanov

priority: Blocker \[ 1 \] =\> Major \[ 3 \] security: Developers \[ 10012 \] =\>

[firebird-automations]

Commented by: @dyemanov

Why do you consider it a bug? There's no such feature as granting select permissions for the contained tables to a container view, it is implied. And you have granted view select permissions to public. Why should any error be thrown in this case?

[firebird-automations]

Modified by: @dyemanov

status: Open \[ 1 \] =\> Resolved \[ 5 \] resolution: Won't Fix \[ 2 \]

[firebird-automations]

Modified by: @pcisar

status: Resolved \[ 5 \] =\> Closed \[ 6 \]

[firebird-automations]

Commented by: eXandr (i.reg)

Sorry for the delay in my replying to you. I believe it is a bug because: 1. In case of using VIEW: SQL> grant select on T1 to view VW_T1; - executed ok. - stored in ACL ok; - has no effect! (implicit autogrant?) 2. In case of using a stored procedure or trigger the permission to SELECT from T1 must be granted explicitly.

I just want the level of security to be high by default.