From bf82df1ebb1edc5471dcbe91b1b30f338fbc2d4f Mon Sep 17 00:00:00 2001
From: alexpeshkoff <alexpeshkoff@users.sourceforge.net>
Date: Wed, 7 May 2014 11:21:31 +0000
Subject: [PATCH] Postfix for CORE-3242: somewhy when checking metadata access
 (like MODIFY or DROP) always checked that access from object itself. Strange
 at the first glance behavior, but let us do not change legacy (at least since
 FB1.0) when possible.

---
 src/jrd/JrdStatement.cpp |  8 ++++----
 src/jrd/scl.epp          | 25 +++++++++++++------------
 src/jrd/scl_proto.h      |  2 +-
 src/jrd/vio.cpp          |  2 +-
 4 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/src/jrd/JrdStatement.cpp b/src/jrd/JrdStatement.cpp
index 4866052c8b..640f55614f 100644
--- a/src/jrd/JrdStatement.cpp
+++ b/src/jrd/JrdStatement.cpp
@@ -454,14 +454,14 @@ void JrdStatement::verifyAccess(thread_db* tdbb)
 			{
 				SCL_check_access(tdbb, sec_class, access->acc_view_id, aclType,
 					routine->getName().identifier, access->acc_mask, access->acc_type,
-					access->acc_name, access->acc_r_name);
+					true, access->acc_name, access->acc_r_name);
 			}
 			else
 			{
 				SCL_check_access(tdbb, sec_class, access->acc_view_id,
 					id_package, routine->getName().package,
 					access->acc_mask, access->acc_type,
-					access->acc_name, access->acc_r_name);
+					true, access->acc_name, access->acc_r_name);
 			}
 		}
 	}
@@ -508,7 +508,7 @@ void JrdStatement::verifyAccess(thread_db* tdbb)
 		}
 
 		SCL_check_access(tdbb, sec_class, access->acc_view_id, objType, objName,
-			access->acc_mask, access->acc_type, access->acc_name, access->acc_r_name);
+			access->acc_mask, access->acc_type, true, access->acc_name, access->acc_r_name);
 	}
 }
 
@@ -629,7 +629,7 @@ void JrdStatement::verifyTriggerAccess(thread_db* tdbb, jrd_rel* ownerRelation,
 			SCL_check_access(tdbb, sec_class,
 				(access->acc_view_id) ? access->acc_view_id : (view ? view->rel_id : 0),
 				id_trigger, t.statement->triggerName, access->acc_mask,
-				access->acc_type, access->acc_name, access->acc_r_name);
+				access->acc_type, true, access->acc_name, access->acc_r_name);
 		}
 	}
 }
diff --git a/src/jrd/scl.epp b/src/jrd/scl.epp
index 30deca2ff1..f09cd5a283 100644
--- a/src/jrd/scl.epp
+++ b/src/jrd/scl.epp
@@ -171,6 +171,7 @@ void SCL_check_access(thread_db* tdbb,
 					  const Firebird::MetaName& obj_name,
 					  SecurityClass::flags_t mask,
 					  SLONG type,
+					  bool recursive,
 					  const Firebird::MetaName& name,
 					  const Firebird::MetaName& r_name)
 {
@@ -237,7 +238,7 @@ void SCL_check_access(thread_db* tdbb,
 
 	// Allow recursive procedure/function call
 
-	if (((type == SCL_object_procedure && obj_type == id_procedure) ||
+	if (recursive && ((type == SCL_object_procedure && obj_type == id_procedure) ||
 		 (type == SCL_object_function && obj_type == id_function)) && obj_name == name)
 	{
 		return;
@@ -299,7 +300,7 @@ void SCL_check_charset(thread_db* tdbb, const MetaName& name, SecurityClass::fla
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_charset, name);
+	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_charset, false, name);
 }
 
 
@@ -330,7 +331,7 @@ void SCL_check_collation(thread_db* tdbb, const MetaName& name, SecurityClass::f
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_collation, name);
+	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_collation, false, name);
 }
 
 
@@ -361,7 +362,7 @@ void SCL_check_domain(thread_db* tdbb, const MetaName& name, SecurityClass::flag
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_domain, name);
+	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_domain, false, name);
 }
 
 
@@ -392,7 +393,7 @@ void SCL_check_exception(thread_db* tdbb, const MetaName& name, SecurityClass::f
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_exception, name);
+	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_exception, false, name);
 }
 
 
@@ -423,7 +424,7 @@ void SCL_check_generator(thread_db* tdbb, const MetaName& name, SecurityClass::f
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_generator, name);
+	SCL_check_access(tdbb, s_class, 0, 0, name, mask, SCL_object_generator, false, name);
 }
 
 
@@ -508,7 +509,7 @@ void SCL_check_index(thread_db* tdbb, const Firebird::MetaName& index_name, UCHA
 	if (reln_name.isEmpty())
 		return;
 
-	SCL_check_access(tdbb, s_class, 0, 0, NULL, mask, SCL_object_table, reln_name);
+	SCL_check_access(tdbb, s_class, 0, 0, NULL, mask, SCL_object_table, false, reln_name);
 
 	request.reset();
 
@@ -529,7 +530,7 @@ void SCL_check_index(thread_db* tdbb, const Firebird::MetaName& index_name, UCHA
 		s_class = (!RF.RDB$SECURITY_CLASS.NULL) ?
 			SCL_get_class(tdbb, RF.RDB$SECURITY_CLASS) : default_s_class;
 		SCL_check_access(tdbb, s_class, 0, 0, NULL, mask,
-						 SCL_object_column, RF.RDB$FIELD_NAME, reln_name);
+						 SCL_object_column, false, RF.RDB$FIELD_NAME, reln_name);
 	}
 	END_FOR
 }
@@ -570,7 +571,7 @@ void SCL_check_package(thread_db* tdbb, const dsc* dsc_name, SecurityClass::flag
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, id_package, name, mask, SCL_object_package, name);
+	SCL_check_access(tdbb, s_class, 0, id_package, name, mask, SCL_object_package, false, name);
 }
 
 
@@ -610,7 +611,7 @@ void SCL_check_procedure(thread_db* tdbb, const dsc* dsc_name, SecurityClass::fl
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, id_procedure, name, mask, SCL_object_procedure, name);
+	SCL_check_access(tdbb, s_class, 0, id_procedure, name, mask, SCL_object_procedure, false, name);
 }
 
 
@@ -650,7 +651,7 @@ void SCL_check_function(thread_db* tdbb, const dsc* dsc_name, SecurityClass::fla
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, id_function, name, mask, SCL_object_function, name);
+	SCL_check_access(tdbb, s_class, 0, id_function, name, mask, SCL_object_function, false, name);
 }
 
 
@@ -688,7 +689,7 @@ void SCL_check_relation(thread_db* tdbb, const dsc* dsc_name, SecurityClass::fla
 	}
 	END_FOR
 
-	SCL_check_access(tdbb, s_class, 0, 0, NULL, mask, SCL_object_table, name);
+	SCL_check_access(tdbb, s_class, 0, 0, NULL, mask, SCL_object_table, false, name);
 }
 
 
diff --git a/src/jrd/scl_proto.h b/src/jrd/scl_proto.h
index 85f6b16458..3a09407abf 100644
--- a/src/jrd/scl_proto.h
+++ b/src/jrd/scl_proto.h
@@ -34,7 +34,7 @@
 struct dsc;
 
 void SCL_check_access(Jrd::thread_db*, const Jrd::SecurityClass*, SLONG, SLONG, const Firebird::MetaName&,
-					  Jrd::SecurityClass::flags_t, SLONG type, const Firebird::MetaName&,
+					  Jrd::SecurityClass::flags_t, SLONG type, bool recursive, const Firebird::MetaName&,
 					  const Firebird::MetaName& = "");
 void SCL_check_charset(Jrd::thread_db* tdbb, const Firebird::MetaName&, Jrd::SecurityClass::flags_t);
 void SCL_check_collation(Jrd::thread_db* tdbb, const Firebird::MetaName&, Jrd::SecurityClass::flags_t);
diff --git a/src/jrd/vio.cpp b/src/jrd/vio.cpp
index b96d6882fa..ef019785cb 100644
--- a/src/jrd/vio.cpp
+++ b/src/jrd/vio.cpp
@@ -3964,7 +3964,7 @@ static void check_rel_field_class(thread_db* tdbb,
 			// he may have access to relation as whole.
 			try
 			{
-				SCL_check_access(tdbb, s_class, 0, 0, NULL, flags, SCL_object_column, "");
+				SCL_check_access(tdbb, s_class, 0, 0, NULL, flags, SCL_object_column, false, "");
 			}
 			catch (const Firebird::Exception&)
 			{