Improved description of DDL access control operations.

Fixed DB and DDL triggers handling. Thanks to Adriano.
2025-01-22 18:03:03 +01:00 · 2014-07-14 13:12:12 +00:00 · 2014-07-14 13:12:12 +00:00 · 46cf49c730
commit 46cf49c730
parent 208d7cbd85
2 changed files with 23 additions and 17 deletions
--- a/doc/sql.extensions/README.ddl_access.txt
+++ b/doc/sql.extensions/README.ddl_access.txt
@ -7,13 +7,13 @@ Author:

 Syntax is:

-GRANT CREATE <OBJECT> TO USER|ROLE [with grant option];
-GRANT ALTER ANY <OBJECT> TO USER|ROLE [with grant option];
-GRANT DROP ANY <OBJECT> TO USER|ROLE [with grant option];
+GRANT CREATE <OBJECT> TO [USER | ROLE] <user/role name> [with grant option];
+GRANT ALTER ANY <OBJECT> TO [USER | ROLE] <user/role name> [with grant option];
+GRANT DROP ANY <OBJECT> TO [USER | ROLE] <user/role name> [with grant option];

-REVOKE [grant option for] CREATE <OBJECT> FROM USER|ROLE;
-REVOKE [grant option for] ALTER ANY <OBJECT> FROM USER|ROLE;
-REVOKE [grant option for] DROP ANY <OBJECT> FROM USER|ROLE;
+REVOKE [grant option for] CREATE <OBJECT> FROM [USER | ROLE] <user/role name>;
+REVOKE [grant option for] ALTER ANY <OBJECT> FROM [USER | ROLE] <user/role name>;
+REVOKE [grant option for] DROP ANY <OBJECT> FROM [USER | ROLE] <user/role name>;

 Where <OBJECT> could be:
 TABLE, VIEW, PROCEDURE, FUNCTION, PACKAGE, GENERATOR, SEQUENCE, DOMAIN, 
--- a/src/dsql/DdlNodes.epp
+++ b/src/dsql/DdlNodes.epp
@ -3157,9 +3157,16 @@ DdlNode* CreateAlterTriggerNode::dsqlPass(DsqlCompilerScratch* dsqlScratch)

 bool CreateAlterTriggerNode::checkPermission(thread_db* tdbb, jrd_tra* transaction)
 {
-	dsc dscName;
-	dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
-	SCL_check_relation(tdbb, &dscName, SCL_alter);
+	if (relationName.hasData())
+	{
+		dsc dscName;
+		dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
+		SCL_check_relation(tdbb, &dscName, SCL_alter);
+	}
+	else
+	{
+		SCL_check_database(tdbb, SCL_alter);
+	}
 	return true;
 }

@ -3335,7 +3342,6 @@ DdlNode* DropTriggerNode::dsqlPass(DsqlCompilerScratch* dsqlScratch)

 bool DropTriggerNode::checkPermission(thread_db* tdbb, jrd_tra* transaction)
 {
-	dsc dscName;
 	MetaName relationName;

 	AutoCacheRequest request(tdbb, drq_l_trigger_relname, DYN_REQUESTS);
@ -3350,12 +3356,15 @@ bool DropTriggerNode::checkPermission(thread_db* tdbb, jrd_tra* transaction)

 	if (relationName.isEmpty())
 	{
-		// msg 48: "Index not found"
-		status_exception::raise(Arg::PrivateDyn(48));
+		SCL_check_database(tdbb, SCL_alter);
+	}
+	else
+	{
+		dsc dscName;
+		dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
+		SCL_check_relation(tdbb, &dscName, SCL_alter);
 	}

-	dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
-	SCL_check_relation(tdbb, &dscName, SCL_alter);
 	return true;
 }

@ -3390,9 +3399,6 @@ void DropTriggerNode::execute(thread_db* tdbb, DsqlCompilerScratch* dsqlScratch,
 				break;
 		}

-		if (X.RDB$RELATION_NAME.NULL && !transaction->getAttachment()->locksmith())
-			status_exception::raise(Arg::Gds(isc_adm_task_denied));
-
 		executeDdlTrigger(tdbb, dsqlScratch, transaction, DTW_BEFORE, DDL_TRIGGER_DROP_TRIGGER, name);

 		relationName = X.RDB$RELATION_NAME;