sql: check access rights of table in VIEW

When access is performed using VIEW, access rights should be checked against table[s] which it is referencing, not against VIEW itself. Added a test case to verify this behaviour. Closes #4104

sql: check access rights of table in VIEW
c0ae52e8 · Kirill Shcherbatov · Kirill Yukhin · 8e337858 · c0ae52e8 · c0ae52e8
Commit c0ae52e8 authored 5 years ago by Kirill Shcherbatov Committed by Kirill Yukhin 5 years ago
--- a/test/sql/gh-4104-view-access-check.result
+++ b/test/sql/gh-4104-view-access-check.result
+box.execute("CREATE TABLE supersecret(id INT PRIMARY KEY, data TEXT);")
+---
+- row_count: 1
+...
+box.execute("CREATE TABLE supersecret2(id INT PRIMARY KEY, data TEXT);")
+---
+- row_count: 1
+...
+box.execute("INSERT INTO supersecret VALUES(1, 'very very big secret');")
+---
+- row_count: 1
+...
+box.execute("INSERT INTO supersecret2 VALUES(1, 'very big secret 2');")
+---
+- row_count: 1
+...
+box.execute("CREATE VIEW supersecret_leak AS  SELECT * FROM supersecret, supersecret2;")
+---
+- row_count: 1
+...
+remote = require 'net.box'
+---
+...
+cn = remote.connect(box.cfg.listen)
+---
+...
+box.schema.user.grant('guest','read', 'space', 'SUPERSECRET_LEAK')
+---
+...
+cn:execute('SELECT * FROM SUPERSECRET_LEAK')
+---
+- error: Read access to space 'SUPERSECRET' is denied for user 'guest'
+...
+box.schema.user.grant('guest','read', 'space', 'SUPERSECRET')
+---
+...
+cn:execute('SELECT * FROM SUPERSECRET_LEAK')
+---
+- error: Read access to space 'SUPERSECRET2' is denied for user 'guest'
+...
+box.schema.user.revoke('guest','read', 'space', 'SUPERSECRET')
+---
+...
+box.schema.user.revoke('guest','read', 'space', 'SUPERSECRET_LEAK')
+---
+...
+box.execute("DROP VIEW supersecret_leak")
+---
+- row_count: 1
+...
+box.execute("DROP TABLE supersecret")
+---
+- row_count: 1
+...
+box.execute("DROP TABLE supersecret2")
+---
+- row_count: 1
+...
--- a/test/sql/gh-4104-view-access-check.test.lua
+++ b/test/sql/gh-4104-view-access-check.test.lua
+box.execute("CREATE TABLE supersecret(id INT PRIMARY KEY, data TEXT);")
+box.execute("CREATE TABLE supersecret2(id INT PRIMARY KEY, data TEXT);")
+box.execute("INSERT INTO supersecret VALUES(1, 'very very big secret');")
+box.execute("INSERT INTO supersecret2 VALUES(1, 'very big secret 2');")
+box.execute("CREATE VIEW supersecret_leak AS  SELECT * FROM supersecret, supersecret2;")
+remote = require 'net.box'
+cn = remote.connect(box.cfg.listen)
+
+box.schema.user.grant('guest','read', 'space', 'SUPERSECRET_LEAK')
+cn:execute('SELECT * FROM SUPERSECRET_LEAK')
+box.schema.user.grant('guest','read', 'space', 'SUPERSECRET')
+cn:execute('SELECT * FROM SUPERSECRET_LEAK')
+
+box.schema.user.revoke('guest','read', 'space', 'SUPERSECRET')
+box.schema.user.revoke('guest','read', 'space', 'SUPERSECRET_LEAK')
+box.execute("DROP VIEW supersecret_leak")
+box.execute("DROP TABLE supersecret")
+box.execute("DROP TABLE supersecret2")