Date: prev next · Thread: first prev next last
2012 Archives by date, by thread · List index


Forgot to regenerate the patch after last-minute fix before sending
email... Missing closing parenthesis in previous patch. New patch
attached.

On Mon, Feb 27, 2012 at 01:41:21PM +0100, Lionel Elie Mamane wrote:
Attached patch fixes fdo#46675, a regression in 3.5.1rc1 wrt to 3.5.0
introduced in the fix for fdo#45254. It is a backport of my
corresponding commit in master; in 3.5.1 only getTablePrivileges is
affected, not getColumnPrivileges.

A PostgreSQL role can be member of another role. Think of the first
role as a user and of the second role as a group; a role can be both a
user and a group.

PostgreSQL-SDBC in LibreOffice 3.5.1 leads the rest of the system to
ignore privileges (permissions) given to a user via a group
membership. This has the consequence that Base (e.g. in a form) won't
allow the user to make things he is allowed to do: e.g. edit data,
insert new data, ...: The corresponding UI elements are locked /
greyed out, in the case that the user does not have that privilege
directly, but "only" via a group membership.

The bug has a testcase, but one needs a PostgreSQL server to test.

The patch duplicates every privilege description line given to a role
(group) for each member of that role, by doing a cross-product with
every existing role, and restricting to rows such that the role is a
member of the grantee group. PUBLIC is the special role "anyone".
"pg_has_role(pr.oid, dp.grantee, 'USAGE')" is true if and only of
pr.oid is a member of dp.grantee; it is false otherwise.


Please apply to libreoffice-3-5 and libreoffice-3-5-1.
From 72e2ca2d1e915cc998ae286ede8b47eae2b45b09 Mon Sep 17 00:00:00 2001
From: Lionel Elie Mamane <lionel@mamane.lu>
Date: Mon, 27 Feb 2012 13:10:40 +0100
Subject: [PATCH] fdo#46675: expand group memberships in PostgreSQL-SDBC
 get*Privileges

---
 .../drivers/postgresql/pq_databasemetadata.cxx     |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/connectivity/source/drivers/postgresql/pq_databasemetadata.cxx 
b/connectivity/source/drivers/postgresql/pq_databasemetadata.cxx
index bfc7be0..6b6b8fe 100644
--- a/connectivity/source/drivers/postgresql/pq_databasemetadata.cxx
+++ b/connectivity/source/drivers/postgresql/pq_databasemetadata.cxx
@@ -1732,7 +1732,8 @@ static void columnMetaData2DatabaseTypeDescription(
 
     rtl::OUStringBuffer sSQL(260);
     sSQL.append( ASCII_STR(
-            " SELECT * FROM ("
+            " SELECT dp.TABLE_CAT, dp.TABLE_SCHEM, dp.TABLE_NAME, dp.GRANTOR, pr.rolname AS 
GRANTEE, dp.privilege, dp.is_grantable "
+            " FROM ("
             "  SELECT table_catalog AS TABLE_CAT, table_schema AS TABLE_SCHEM, table_name,"
             "         grantor, grantee, privilege_type AS PRIVILEGE, is_grantable"
             "  FROM information_schema.table_privileges") );
@@ -1754,8 +1755,9 @@ static void columnMetaData2DatabaseTypeDescription(
             "  WHERE c.relkind IN ('r', 'v') AND c.relacl IS NULL AND pg_has_role(rg.oid, 
c.relowner, 'USAGE')"
             "        AND c.relowner=ro.oid AND c.relnamespace = pn.oid") );
     sSQL.append( ASCII_STR(
-            " ) s"
-            " WHERE table_schem LIKE ? AND table_name LIKE ? "
+            " ) dp,"
+            " (SELECT oid, rolname FROM pg_catalog.pg_roles UNION ALL VALUES (0, 'PUBLIC')) pr"
+            " WHERE table_schem LIKE ? AND table_name LIKE ? AND (dp.grantee = 'PUBLIC' OR 
pg_has_role(pr.oid, dp.grantee, 'USAGE'))"
             " ORDER BY table_schem, table_name, privilege" ) );
 
     Reference< XPreparedStatement > statement = m_origin->prepareStatement( 
sSQL.makeStringAndClear() );
-- 
1.7.7.3


Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.