Обсуждение: permission-error in tables with referential integrity


permission-error in tables with referential integrity

Gert Pache (uhx2@rz.uni-karlsruhe.de) reports a bug with a severity of 1
The lower the number the more severe it is.

Short Description
permission-error in tables with referential integrity

Long Description
Suppose you have a table A, which no user should be able to alter
Table B is a table, the user tom schould be able to insert/delete/select/update data.

It isn't possible to grant tom only select-rights on B, as postgre complains missing permissions for tom. (see code

I think that's a devasting problem, since if i also grant the update right on A to make him able to
insert/delete/updatehis record in B, 
he also gets the delete right (as update/delete isn't distinguished in postgre). An furthermore he gets also the
insert-right(the other bug-report) 

Posgre-Version: 7.0.1

Sample Code
-- Superuser creates Table A and B with rights as explanied above

delme=# create TABLE a ( int id primary key, value varchar );
ERROR:  Unable to locate type name 'id' in catalog
delme=# create TABLE a ( id int primary key, value varchar );
NOTICE:  CREATE TABLE/PRIMARY KEY will create implicit index 'a_pkey' for table 'a'
delme=# insert into a values (0,'wert0');
INSERT 76484 1
delme=# create TABLE b (id int, ref int references a);
NOTICE:  CREATE TABLE will create implicit trigger(s) for FOREIGN KEY check(s)
delme=# revoke all on a from public;
delme=# grant select on a to pgtester;
delme=# grant update, insert, select, delete on b to pgtester;
delme=# \dp a
Access permissions for database "delme"
 Relation | Access permissions
 a        | {"=","pgtester=r"}
(1 row)
delme=# \dp b
Access permissions for database "delme"
 Relation |  Access permissions
 b        | {"=","pgtester=arw"}
(1 row)

-- user pgtester isn't able to insert records in table B
-- (Because he has no permissions on A(!))
delme=> insert into b values ( 0, 0 );
ERROR:  a: Permission denied.

-- superuser also grants update to pgtester
delme=# grant update on a to pgtester;

-- now pgdelme=> insert into b values ( 0, 0 );
INSERT 76450 1
tester is able to insert into b

No file was uploaded with this report