1
我拿到了數據庫「比基尼環礁」使用此PostgreSQL的代碼創建:在觸發功能無權限選擇上表
CREATE TABLE TESTA (
name character varying NOT NULL,
age integer NOT NULL,
PRIMARY KEY(name)
);
CREATE DOMAIN RANK AS character varying
CHECK (
VALUE = 'bigmac' OR
VALUE = 'smallmac'
);
CREATE TABLE TESTB (
name character varying NOT NULL,
rank character varying NOT NULL,
PRIMARY KEY(name)
);
CREATE OR REPLACE VIEW TESTAB AS
SELECT * FROM (TESTA
JOIN
TESTB
ON TESTA.name = TESTB.name);
CREATE OR REPLACE RULE TESTAB_INSERT
AS ON INSERT TO TESTAB
DO INSTEAD (
INSERT INTO TESTA (name,age) VALUES (NEW.name,NEW.age);
INSERT INTO TESTB (name,rank) VALUES (NEW.name,NEW.rank);
)
CREATE OR REPLACE FUNCTION testRankToAge() RETURNS TRIGGER AS $$
DECLARE
ageRes integer;
BEGIN
SELECT AGE INTO ageRes
FROM TESTA
WHERE name = NEW.name;
IF (ageRes < 42) AND (NEW.rank = 'bigmac')
THEN
RAISE EXCEPTION 'YOU CANNOT BE BIGMAC AT THAT AGE';
END IF;
END
$$ LANGUAGE plpgsql;
CREATE OR REPLACE TRIGGER rankToAgeTrigger
AFTER INSERT
ON TESTB
FOR EACH ROW
EXECUTE PROCEDURE testRankToAge();
DROP ROLE IF EXISTS testUser;
CREATE ROLE testUser WITH PASSWORD '123456' LOGIN;
GRANT INSERT ON TESTAB TO testUser;
現在,我想我的(共LISP)程序做一個簡單的插入:
(clsql:file-enable-sql-reader-syntax)
(clsql-sys:with-database (db (list "localhost" "bikini-atoll" "testuser" "123456") :database-type :postgresql)
(clsql-sys:insert-records :into [TESTAB]
:attributes '([NAME] [AGE] [RANK])
:values '("sir" 44 "bigmac")
:database db))
這基本上是一個:
INSERT INTO TESTAB (NAME,AGE,RANK) VALUES ('sir',44,'bigmac');
作爲用戶TESTUSER(I懷疑這是一個程序語言具體問題,以及更多的一些壞的數據庫/觸發器設計)。
但(意外)的結果是:
Error 42501/FEHLER: no permission for relation testa
CONTEXT: SQL-COMMAND „SELECT AGE FROM TESTA
WHERE name = NEW.name「
PL/pgSQL-Funktion testranktoage() LINE 5 AT SQL-Command
has occurred.
這將表明TESTUSER還需要任何表的觸發器可以做的東西,這似乎有點奇怪,因爲我認爲的一個SELECT權限視圖的主要原因是限制/過濾用戶對錶的訪問權限,這與批准一致性觸發器所需的任何SELECT相反。
如何修復/防止此曙光許可破壞?