Skip to content

H
h2database
提交 4db22fbb authored 作者: Thomas Mueller's avatar Thomas Mueller
浏览文件
操作

Access to system tables is now more restrictive for non-admin users (the tables… 

Access to system tables is now more restrictive for non-admin users (the tables can be still listed and read, but some of the data is not included).
上级 9f9e251c
隐藏空白字符变更
内嵌 并排
正在显示 包含 113 行增加64 行删除
h2/src/main/org/h2/table/MetaTable.java
浏览文件 @ 4db22fbb
......@@ -624,6 +624,7 @@ public class MetaTable extends Table {
ArrayList<Row> rows = New.arrayList();
String catalog = identifier(database.getShortName());
boolean admin = session.getUser().isAdmin();
switch (type) {
case TABLES: {
for (Table table : getAllTables(session)) {
......@@ -851,7 +852,7 @@ public class MetaTable extends Table {
add(rows, "info.VERSION_MAJOR", "" + Constants.VERSION_MAJOR);
add(rows, "info.VERSION_MINOR", "" + Constants.VERSION_MINOR);
add(rows, "info.VERSION", "" + Constants.getFullVersion());
if (session.getUser().isAdmin()) {
if (admin) {
String[] settings = {
"java.runtime.version",
"java.vm.name", "java.vendor",
......@@ -983,76 +984,82 @@ public class MetaTable extends Table {
}
case USERS: {
for (User u : database.getAllUsers()) {
add(rows,
// NAME
identifier(u.getName()),
// ADMIN
String.valueOf(u.isAdmin()),
// REMARKS
replaceNullWithEmpty(u.getComment()),
// ID
"" + u.getId()
);
if (admin || session.getUser() == u) {
add(rows,
// NAME
identifier(u.getName()),
// ADMIN
String.valueOf(u.isAdmin()),
// REMARKS
replaceNullWithEmpty(u.getComment()),
// ID
"" + u.getId()
);
}
}
break;
}
case ROLES: {
for (Role r : database.getAllRoles()) {
add(rows,
// NAME
identifier(r.getName()),
// REMARKS
replaceNullWithEmpty(r.getComment()),
// ID
"" + r.getId()
);
if (admin || session.getUser().isRoleGranted(r)) {
add(rows,
// NAME
identifier(r.getName()),
// REMARKS
replaceNullWithEmpty(r.getComment()),
// ID
"" + r.getId()
);
}
}
break;
}
case RIGHTS: {
for (Right r : database.getAllRights()) {
Role role = r.getGrantedRole();
DbObject grantee = r.getGrantee();
String rightType = grantee.getType() == DbObject.USER ? "USER" : "ROLE";
if (role == null) {
Table granted = r.getGrantedTable();
String tableName = identifier(granted.getName());
if (!checkIndex(session, tableName, indexFrom, indexTo)) {
continue;
if (admin) {
for (Right r : database.getAllRights()) {
Role role = r.getGrantedRole();
DbObject grantee = r.getGrantee();
String rightType = grantee.getType() == DbObject.USER ? "USER" : "ROLE";
if (role == null) {
Table granted = r.getGrantedTable();
String tableName = identifier(granted.getName());
if (!checkIndex(session, tableName, indexFrom, indexTo)) {
continue;
}
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
"",
// RIGHTS
r.getRights(),
// TABLE_SCHEMA
identifier(granted.getSchema().getName()),
// TABLE_NAME
identifier(granted.getName()),
// ID
"" + r.getId()
);
} else {
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
identifier(role.getName()),
// RIGHTS
"",
// TABLE_SCHEMA
"",
// TABLE_NAME
"",
// ID
"" + r.getId()
);
}
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
"",
// RIGHTS
r.getRights(),
// TABLE_SCHEMA
identifier(granted.getSchema().getName()),
// TABLE_NAME
identifier(granted.getName()),
// ID
"" + r.getId()
);
} else {
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
identifier(role.getName()),
// RIGHTS
"",
// TABLE_SCHEMA
"",
// TABLE_NAME
"",
// ID
"" + r.getId()
);
}
}
break;
......@@ -1277,7 +1284,7 @@ public class MetaTable extends Table {
}
case IN_DOUBT: {
ArrayList<InDoubtTransaction> prepared = database.getInDoubtTransactions();
if (prepared != null) {
if (prepared != null && admin) {
for (InDoubtTransaction prep : prepared) {
add(rows,
// TRANSACTION
......@@ -1504,7 +1511,6 @@ public class MetaTable extends Table {
break;
}
case SESSIONS: {
boolean admin = session.getUser().isAdmin();
long now = System.currentTimeMillis();
for (Session s : database.getSessions(false)) {
if (admin || s == session) {
......@@ -1530,7 +1536,6 @@ public class MetaTable extends Table {
break;
}
case LOCKS: {
boolean admin = session.getUser().isAdmin();
for (Session s : database.getSessions(false)) {
if (admin || s == session) {
for (Table table : s.getLocks()) {
......
h2/src/test/org/h2/test/db/TestRights.java
浏览文件 @ 4db22fbb
......@@ -34,6 +34,7 @@ public class TestRights extends TestBase {
}
public void test() throws SQLException {
testDisallowedTables();
testDropOwnUser();
testGetTables();
testDropTempTables();
......@@ -43,6 +44,49 @@ public class TestRights extends TestBase {
deleteDb("rights");
}
private void testDisallowedTables() throws SQLException {
deleteDb("rights");
Connection conn = getConnection("rights");
stat = conn.createStatement();
stat.execute("CREATE USER IF NOT EXISTS TEST PASSWORD 'TEST'");
stat.execute("CREATE ROLE TEST_ROLE");
stat.execute("CREATE TABLE ADMIN_ONLY(ID INT)");
stat.execute("CREATE TABLE TEST(ID INT)");
stat.execute("GRANT ALL ON TEST TO TEST");
Connection conn2 = getConnection("rights", "TEST", getPassword("TEST"));
Statement stat2 = conn2.createStatement();
String sql = "select * from admin_only where 1=0";
stat.execute(sql);
try {
stat2.execute(sql);
fail();
} catch (SQLException e) {
assertEquals(ErrorCode.NOT_ENOUGH_RIGHTS_FOR_1, e.getErrorCode());
}
DatabaseMetaData meta = conn2.getMetaData();
ResultSet rs;
rs = meta.getTables(null, null, "%", new String[]{"TABLE", "VIEW", "SEQUENCE"});
assertTrue(rs.next());
assertTrue(rs.next());
assertFalse(rs.next());
for (String s : new String[] {
"information_schema.settings where name='property.java.runtime.version'",
"information_schema.users where name='SA'",
"information_schema.roles",
"information_schema.rights",
"information_schema.sessions where user_name='SA'"
}) {
rs = stat2.executeQuery("select * from " + s);
assertFalse(rs.next());
rs = stat.executeQuery("select * from " + s);
assertTrue(rs.next());
}
conn2.close();
conn.close();
}
private void testDropOwnUser() throws SQLException {
deleteDb("rights");
String user = getUser().toUpperCase();
......
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论