From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 22 Aug 2018 19:47:55 +0300 From: Vladimir Davydov Subject: Re: [PATCH v2 3/4] Add single object privilege checks to access_check_ddl. Message-ID: <20180822164755.6eomdsuptgluumc2@esperanza> References: <6d1b868fa068adbfd54b7af731cc311e33f101fd.1534944662.git.sergepetrenko@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6d1b868fa068adbfd54b7af731cc311e33f101fd.1534944662.git.sergepetrenko@tarantool.org> To: Serge Petrenko Cc: kostja@tarantool.org, tarantool-patches@freelists.org List-ID: On Wed, Aug 22, 2018 at 04:39:04PM +0300, Serge Petrenko wrote: > @@ -1862,3 +1877,173 @@ box.session.su('admin') > box.schema.user.drop('tester') > --- > ... > +-- > +-- test case for 3530: do not ignore single object privileges > +-- > +box.schema.user.create("test") > +--- > +... > +_ = box.schema.space.create("space1") > +--- > +... > +box.schema.user.grant("test", "read", "space", "space1") > +--- > +... > +box.schema.user.grant("test", "write", "space", "_index") > +--- > +... > +box.session.su("test") > +--- > +... > +box.space.space1:create_index("pk") > +--- > +- error: Create access to space 'space1' is denied for user 'test' > +... > +box.session.su("admin") > +--- > +... > +box.space.space1.index[0] == nil > +--- > +- true > +... > +-- fixme: cannot grant create on a single space > +-- this is because when checking for create > +-- access_check_ddl ignores space privileges, Please don't use code function names in tests - if they change (and they can), it'll be difficult to understand what this test is about. > +-- assuming that there is no space yet. I thought you fixed that in v2 by dropping PRIV_C check from access_check_ddl, no?