Home > mailing lists

BUG #4350: 'select' acess given to views containing "union all" even though user has no grants - Mailing list pgsql-bugs

From	Brendan O'Shea
Subject	BUG #4350: 'select' acess given to views containing "union all" even though user has no grants
Date	August 11, 2008 17:36:25
Msg-id	200808111637.m7BGbKZj059864@wwwmaster.postgresql.org Whole thread Raw
Responses	Re: BUG #4350: 'select' acess given to views containing "union all" even though user has no grants
List	pgsql-bugs

Tree view

The following bug has been logged online:

Bug reference:      4350
Logged by:          Brendan O'Shea
Email address:      boshea@akamai.com
PostgreSQL version: 8.2.9
Operating system:   linux-2.4 and windows XP
Description:        'select' acess given to views containing "union all"
even though user has no grants
Details:

There appears to be a bug in the way that permissions are determined for
views that contain "UNION ALL" in their definition.

There is a simple test case to reproduce the bug.

1) As a superuser create the following objects:

CREATE ROLE test_perm LOGIN PASSWORD 'test_perm';

CREATE OR REPLACE VIEW public.simple_select AS SELECT 1;
CREATE OR REPLACE VIEW public.union_all AS SELECT 1 UNION ALL SELECT 2;


2) Now log in as the test_perm user and run the following SQL:

select * from public.simple_select;
select * from public.union_all;

The first SQL statement correctly produces an error, but the second
statement will return results with no error, it should instead generate a
permission error.

pgsql-bugs by date:

From: megous@gmail.com
Date: 11 August 2008, 12:29:11
Subject: Re: ALTER TABLE name RENAME TO new_name; does not work immediately

From: Richard Evans
Date: 11 August 2008, 19:06:23
Subject: Re: BUG #3818: Cross compilation problems

BUG #4350: 'select' acess given to views containing "union all" even though user has no grants - Mailing list pgsql-bugs

Previous

Next