search

FirebirdSQL / firebird

Firebird server, client and tools
https://firebirdsql.org
1.26k stars 217 forks source link

Column update permissions works wrong in regard to object names case #8212

Open asfernandes opened 3 months ago

asfernandes commented 3 months ago 
isql -term !

create database 't.fdb'!

create table t1 (n1 integer, n2 integer)!

create procedure p1
as
begin
    update t1 set n1 = 0;
end!

create procedure "p1"
as
begin
    update t1 set n2 = 0;
end!

grant update (n1) on t1 to procedure p1!
grant update (n2) on t1 to procedure "p1"!

grant execute on procedure p1 to public!
grant execute on procedure "p1" to public!

commit!

set blob all!

-- Only procedure "p1" is listed
select s.rdb$acl
    from rdb$relations r
    join rdb$security_classes s on s.rdb$security_class = r.rdb$security_class
    where r.rdb$relation_name = 'T1'!
isql t.fdb -user user

-- Must work, but don't
execute procedure p1;
/*
Statement failed, SQLSTATE = 28000
no permission for UPDATE access to TABLE T1
-Effective user is USER
*/

execute procedure "p1";