Date: 2013-02-09 17:26:57 +0100
From: @bartscheers
To: SQL devs <>
Version: 11.15.1 (Feb2013)
CC: @njnes

Last updated: 2013-03-07 12:41:23 +0100

Comment 18456

Date: 2013-02-09 17:26:57 +0100
From: @bartscheers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:16.0) Gecko/20100101 Firefox/16.0
Build Identifier:

A user having only select privileges on a table is allowed to do so when a sql function performs the insert into the table.

Reproducible: Always

Steps to Reproduce:

1. ./setup.sh
2. mclient -dgrantupd < setup.sql
3. mclient -dgrantupd -ubart < insertbug.sql
4. mclient -dgrantupd -ubart < updatebug.sql
5. mclient -dgrantupd -ubart < deletebug.sql

Actual Results:

row inserted, updated, deleted

Expected Results:

A insufficient privileges message for all cases, and no execution of function

Comment 18457

Date: 2013-02-09 17:32:58 +0100
From: @bartscheers

Created attachment 178
contains the necessary test files

Attached file: grantfunctionbug.tar (text/plain, 10240 bytes)
Description: contains the necessary test files

Comment 18471

Date: 2013-02-13 16:00:33 +0100
From: @njnes

Changeset fffd420f1ee8 made by Niels Nes niels@cwi.nl in the MonetDB repo, refers to this bug.

For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=fffd420f1ee8

Changeset description:

fixes and test added for bug #3230

Comment 18472

Date: 2013-02-13 16:02:55 +0100
From: @njnes

fixed. We now check user rights also in recursive sql.
This means tables under views are checked for user rights properly (we don't support materialized views)

Comment 18592

Date: 2013-03-07 12:41:23 +0100
From: @sjoerdmullender

Feb2013-SP1 has been released.