From 46cf49c730c16e9e522541ddf7947af7cb3c090e Mon Sep 17 00:00:00 2001
From: roman-simakov <roman-simakov@users.sourceforge.net>
Date: Mon, 14 Jul 2014 13:12:12 +0000
Subject: [PATCH] Improved description of DDL access control operations. Fixed
 DB and DDL triggers handling. Thanks to Adriano.

---
 doc/sql.extensions/README.ddl_access.txt | 12 +++++-----
 src/dsql/DdlNodes.epp                    | 28 ++++++++++++++----------
 2 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/doc/sql.extensions/README.ddl_access.txt b/doc/sql.extensions/README.ddl_access.txt
index c1811d80ad..b2ffb0eece 100644
--- a/doc/sql.extensions/README.ddl_access.txt
+++ b/doc/sql.extensions/README.ddl_access.txt
@@ -7,13 +7,13 @@ Author:
 
 Syntax is:
 
-GRANT CREATE <OBJECT> TO USER|ROLE [with grant option];
-GRANT ALTER ANY <OBJECT> TO USER|ROLE [with grant option];
-GRANT DROP ANY <OBJECT> TO USER|ROLE [with grant option];
+GRANT CREATE <OBJECT> TO [USER | ROLE] <user/role name> [with grant option];
+GRANT ALTER ANY <OBJECT> TO [USER | ROLE] <user/role name> [with grant option];
+GRANT DROP ANY <OBJECT> TO [USER | ROLE] <user/role name> [with grant option];
 
-REVOKE [grant option for] CREATE <OBJECT> FROM USER|ROLE;
-REVOKE [grant option for] ALTER ANY <OBJECT> FROM USER|ROLE;
-REVOKE [grant option for] DROP ANY <OBJECT> FROM USER|ROLE;
+REVOKE [grant option for] CREATE <OBJECT> FROM [USER | ROLE] <user/role name>;
+REVOKE [grant option for] ALTER ANY <OBJECT> FROM [USER | ROLE] <user/role name>;
+REVOKE [grant option for] DROP ANY <OBJECT> FROM [USER | ROLE] <user/role name>;
 
 Where <OBJECT> could be:
 TABLE, VIEW, PROCEDURE, FUNCTION, PACKAGE, GENERATOR, SEQUENCE, DOMAIN, 
diff --git a/src/dsql/DdlNodes.epp b/src/dsql/DdlNodes.epp
index 409e51e4e6..ddecfb65f6 100644
--- a/src/dsql/DdlNodes.epp
+++ b/src/dsql/DdlNodes.epp
@@ -3157,9 +3157,16 @@ DdlNode* CreateAlterTriggerNode::dsqlPass(DsqlCompilerScratch* dsqlScratch)
 
 bool CreateAlterTriggerNode::checkPermission(thread_db* tdbb, jrd_tra* transaction)
 {
-	dsc dscName;
-	dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
-	SCL_check_relation(tdbb, &dscName, SCL_alter);
+	if (relationName.hasData())
+	{
+		dsc dscName;
+		dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
+		SCL_check_relation(tdbb, &dscName, SCL_alter);
+	}
+	else
+	{
+		SCL_check_database(tdbb, SCL_alter);
+	}
 	return true;
 }
 
@@ -3335,7 +3342,6 @@ DdlNode* DropTriggerNode::dsqlPass(DsqlCompilerScratch* dsqlScratch)
 
 bool DropTriggerNode::checkPermission(thread_db* tdbb, jrd_tra* transaction)
 {
-	dsc dscName;
 	MetaName relationName;
 
 	AutoCacheRequest request(tdbb, drq_l_trigger_relname, DYN_REQUESTS);
@@ -3350,12 +3356,15 @@ bool DropTriggerNode::checkPermission(thread_db* tdbb, jrd_tra* transaction)
 
 	if (relationName.isEmpty())
 	{
-		// msg 48: "Index not found"
-		status_exception::raise(Arg::PrivateDyn(48));
+		SCL_check_database(tdbb, SCL_alter);
+	}
+	else
+	{
+		dsc dscName;
+		dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
+		SCL_check_relation(tdbb, &dscName, SCL_alter);
 	}
 
-	dscName.makeText(relationName.length(), CS_METADATA, (UCHAR*) relationName.c_str());
-	SCL_check_relation(tdbb, &dscName, SCL_alter);
 	return true;
 }
 
@@ -3390,9 +3399,6 @@ void DropTriggerNode::execute(thread_db* tdbb, DsqlCompilerScratch* dsqlScratch,
 				break;
 		}
 
-		if (X.RDB$RELATION_NAME.NULL && !transaction->getAttachment()->locksmith())
-			status_exception::raise(Arg::Gds(isc_adm_task_denied));
-
 		executeDdlTrigger(tdbb, dsqlScratch, transaction, DTW_BEFORE, DDL_TRIGGER_DROP_TRIGGER, name);
 
 		relationName = X.RDB$RELATION_NAME;