From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Sat, 27 Oct 2018 00:04:00 +0300 From: Vladimir Davydov Subject: Re: [PATCH v2 4/4] sql: check read access while executing SQL query Message-ID: <20181026210400.renemmhvwhqnghqt@esperanza> References: <4190713e5ce5192e75456defc9d0a904ce422aff.1540388902.git.kyukhin@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4190713e5ce5192e75456defc9d0a904ce422aff.1540388902.git.kyukhin@tarantool.org> To: Kirill Yukhin Cc: tarantool-patches@freelists.org List-ID: On Thu, Oct 25, 2018 at 11:17:12AM +0300, Kirill Yukhin wrote: > Since SQL front-end is not using box API, > no checkes for read access are performed by VDBE engine. > Add check to IteratorOpen op-code to make sure that read > privilege exists for given space. > Note, that there's is no need to perform DML/DDL checkes as > they're performed by Tarantool's core. > > @TarantoolBot document > Title: Document behaviour of SQL in presence of > read access restrictions. Need to clarify, that This line is like 50 characters long. Why? The limit for commit messages is 72. Doesn't emacs now that? Vim does. > if there's no read access to the space, then not > only SELECT statements will fail, but also those DML > which implies reading from spaces indirectly, e.g.: > UPDATE t1 SET a=2 WHERE b=3; > > Closes #2362 > --- > src/box/sql/vdbe.c | 5 ++ > test/sql/gh-2362-select-access-rights.result | 110 +++++++++++++++++++++++++ > test/sql/gh-2362-select-access-rights.test.lua | 42 ++++++++++ > 3 files changed, 157 insertions(+) > create mode 100644 test/sql/gh-2362-select-access-rights.result > create mode 100644 test/sql/gh-2362-select-access-rights.test.lua Pushed to 2.1