At 05:14 12/07/00 -0400, D'Arcy J.M. Cain wrote:
>Thus spake Philip Warner
>> > Not to mention the juicy topics of access permissions and
>> >possible errors.
>>
>> Can't one fall back here on the 'insert followed by select' analogy? Or is
>> there a specific example that you have in mind?
>
>I think the thing he has in mind is the situation where one has insert
>perms but not select. The decision is whether to have the insert fail
>if the select fails. Or, do you allow the (virtual) select in this
>case since it is your own inserted row you are trying to read?
I would be inclined to follow the perms; is there a problem with that? You
should not let them read the row they inserted since it *may* contain
sensitive (automatically generated) data - the DBA must have had a reason
for preventing SELECT.
The next question is whether they should be allowed to do the insert, and
again I would be inclined to say 'no'. Can we check perms easily at the start?
----------------------------------------------------------------
Philip Warner | __---_____
Albatross Consulting Pty. Ltd. |----/ - \
(A.C.N. 008 659 498) | /(@) ______---_
Tel: (+61) 0500 83 82 81 | _________ \
Fax: (+61) 0500 83 82 82 | ___________ |
Http://www.rhyme.com.au | / \| | --________--
PGP key available upon request, | /
and from pgp5.ai.mit.edu:11371 |/
