efmarshall / h2database

Automatically exported from code.google.com/p/h2database
0 stars 0 forks source link

CREATE VIEW does not check user rights #471

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The documentation for CREATE VIEW states: "Admin rights are required to execute 
this command". However, it's possible to create a view as a non-admin user, 
which you then have no privileges to query or drop. 

What steps will reproduce the problem?

If you are not an admin user but can run "SELECT * FROM X", then run "CREATE 
VIEW my_view AS SELECT * FROM X". 

What is the expected output? What do you see instead?

Expected output is the CREATE VIEW should fail. It currently succeeds.

What version of the product are you using? On what operating system, file
system, and virtual machine?

H2 1.3.172

--

I have attached a patch which demonstrates the problem via a unit test + 
included a potential fix.

Original issue reported on code.google.com by arbfrank...@gmail.com on 6 Jun 2013 at 8:11

Attachments:

GoogleCodeExporter commented 9 years ago
Patch committed, thank you very much.

Original comment by noelgrandin on 18 Jun 2013 at 12:28