[Firebird-devel] WITH CALLER PRIVILEGES propagation

[Jiří Činčura]

Hi,

Can propagate the privileges down into the call stack when using WITH CALLER 
PRIVILEGES? For example:
CREATE TABLE T_TEST (ID INTEGER NOT NULL,
CONSTRAINT PK_TEST PRIMARY KEY (ID));

/* Package header: PKG_TEST, Owner: SYSDBA */
CREATE PACKAGE PKG_TEST AS
begin
        procedure test returns (i int);
end^

/* Package header: PKG_TEST_LIMITED, Owner: SYSDBA */
CREATE PACKAGE PKG_TEST_LIMITED AS
begin
        procedure test returns (i int);
end^

/* Package body: PKG_TEST, Owner: SYSDBA */
CREATE PACKAGE BODY PKG_TEST AS
begin
        procedure test returns (i int)
        as
        begin
                for select id from t_test into :i do
                begin
                        suspend;
                end
        end
end^

/* Package body: PKG_TEST_LIMITED, Owner: SYSDBA */
CREATE PACKAGE BODY PKG_TEST_LIMITED AS
begin
        procedure test returns (i int)
        as
        begin
                for execute statement 'select i from pkg_test.test' with caller 
privileges into :i do
                begin
                        suspend;
                end
        end
end^

/* Grant permissions for this database */
GRANT SELECT ON T_TEST TO PACKAGE PKG_TEST_LIMITED;
GRANT EXECUTE ON PACKAGE PKG_TEST_LIMITED TO USER LIMITED;

Now if I do, under LIMITED user, `select * from pkg_test_limited.test;` is will 
end up with `no permission for SELECT access to TABLE T_TEST`. But if I change 
the execute statement into `for execute statement 'select id t_test' with 
caller privileges into :i do` everything is fine.

I guess the "caller privileges" is propagated only into `pkg_test_limited.test` 
when calling, but not further into `t_test`. Can I somewhat make it 
work/propagate? Or did I misunderstood the feature?

-- 
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel