[ http://tracker.firebirdsql.org/browse/CORE-4985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dmitry Yemanov reopened CORE-4985: ---------------------------------- Fix Version/s: (was: 4.0 Alpha 1) Re-opened due to regression found, fix is rolled back. > Non-privileged user can implicitly count records in a restricted table > ---------------------------------------------------------------------- > > Key: CORE-4985 > URL: http://tracker.firebirdsql.org/browse/CORE-4985 > Project: Firebird Core > Issue Type: Bug > Components: Security > Affects Versions: 2.5.5, 3.0 RC2, 4.0 Initial > Reporter: Pavel Zotov > Assignee: Dmitry Yemanov > > SQL> create or alter user john password '123'; > SQL> create table test(id int); > SQL> set count on; > SQL> insert into test select row_number()over() from rdb$types rows 7; > Records affected: 7 > SQL> commit; > SQL> revoke all on all from john; > Warning: ALL on ALL is not granted to JOHN. > SQL> commit; > SQL> connect '/3333:e30' user john password '123'; > Database: '/3333:e30', User: JOHN > SQL> select count(*) from test; > Statement failed, SQLSTATE = 28000 > no permission for SELECT access to TABLE TEST ----- OK, expected > SQL> set count on; > SQL> select 1 from test; > CONSTANT > ============ > 1 > 1 > 1 > 1 > 1 > 1 > 1 > Records affected: 7 -------------- ?? Why he can know result of COUNT(*) > using this way ? > WI-V3.0.0.32136 > PS. May be this is not a bug, but IMO user shoudl not have *any* knowledge > about such table, even about number of rows in it. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tracker.firebirdsql.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel