Skip to content

H
h2database
提交 4db22fbb authored 作者: Thomas Mueller's avatar Thomas Mueller
浏览文件
操作

Access to system tables is now more restrictive for non-admin users (the tables… 

Access to system tables is now more restrictive for non-admin users (the tables can be still listed and read, but some of the data is not included).
上级 9f9e251c
隐藏空白字符变更
内嵌 并排
正在显示 包含 113 行增加64 行删除
h2/src/main/org/h2/table/MetaTable.java
浏览文件 @ 4db22fbb
...@@ -624,6 +624,7 @@ public class MetaTable extends Table { ...@@ -624,6 +624,7 @@ public class MetaTable extends Table {
ArrayList<Row> rows = New.arrayList(); ArrayList<Row> rows = New.arrayList();
String catalog = identifier(database.getShortName()); String catalog = identifier(database.getShortName());
boolean admin = session.getUser().isAdmin();
switch (type) { switch (type) {
case TABLES: { case TABLES: {
for (Table table : getAllTables(session)) { for (Table table : getAllTables(session)) {
...@@ -851,7 +852,7 @@ public class MetaTable extends Table { ...@@ -851,7 +852,7 @@ public class MetaTable extends Table {
add(rows, "info.VERSION_MAJOR", "" + Constants.VERSION_MAJOR); add(rows, "info.VERSION_MAJOR", "" + Constants.VERSION_MAJOR);
add(rows, "info.VERSION_MINOR", "" + Constants.VERSION_MINOR); add(rows, "info.VERSION_MINOR", "" + Constants.VERSION_MINOR);
add(rows, "info.VERSION", "" + Constants.getFullVersion()); add(rows, "info.VERSION", "" + Constants.getFullVersion());
if (session.getUser().isAdmin()) { if (admin) {
String[] settings = { String[] settings = {
"java.runtime.version", "java.runtime.version",
"java.vm.name", "java.vendor", "java.vm.name", "java.vendor",
...@@ -983,76 +984,82 @@ public class MetaTable extends Table { ...@@ -983,76 +984,82 @@ public class MetaTable extends Table {
} }
case USERS: { case USERS: {
for (User u : database.getAllUsers()) { for (User u : database.getAllUsers()) {
add(rows, if (admin || session.getUser() == u) {
// NAME add(rows,
identifier(u.getName()), // NAME
// ADMIN identifier(u.getName()),
String.valueOf(u.isAdmin()), // ADMIN
// REMARKS String.valueOf(u.isAdmin()),
replaceNullWithEmpty(u.getComment()), // REMARKS
// ID replaceNullWithEmpty(u.getComment()),
"" + u.getId() // ID
); "" + u.getId()
);
}
} }
break; break;
} }
case ROLES: { case ROLES: {
for (Role r : database.getAllRoles()) { for (Role r : database.getAllRoles()) {
add(rows, if (admin || session.getUser().isRoleGranted(r)) {
// NAME add(rows,
identifier(r.getName()), // NAME
// REMARKS identifier(r.getName()),
replaceNullWithEmpty(r.getComment()), // REMARKS
// ID replaceNullWithEmpty(r.getComment()),
"" + r.getId() // ID
); "" + r.getId()
);
}
} }
break; break;
} }
case RIGHTS: { case RIGHTS: {
for (Right r : database.getAllRights()) { if (admin) {
Role role = r.getGrantedRole(); for (Right r : database.getAllRights()) {
DbObject grantee = r.getGrantee(); Role role = r.getGrantedRole();
String rightType = grantee.getType() == DbObject.USER ? "USER" : "ROLE"; DbObject grantee = r.getGrantee();
if (role == null) { String rightType = grantee.getType() == DbObject.USER ? "USER" : "ROLE";
Table granted = r.getGrantedTable(); if (role == null) {
String tableName = identifier(granted.getName()); Table granted = r.getGrantedTable();
if (!checkIndex(session, tableName, indexFrom, indexTo)) { String tableName = identifier(granted.getName());
continue; if (!checkIndex(session, tableName, indexFrom, indexTo)) {
continue;
}
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
"",
// RIGHTS
r.getRights(),
// TABLE_SCHEMA
identifier(granted.getSchema().getName()),
// TABLE_NAME
identifier(granted.getName()),
// ID
"" + r.getId()
);
} else {
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
identifier(role.getName()),
// RIGHTS
"",
// TABLE_SCHEMA
"",
// TABLE_NAME
"",
// ID
"" + r.getId()
);
} }
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
"",
// RIGHTS
r.getRights(),
// TABLE_SCHEMA
identifier(granted.getSchema().getName()),
// TABLE_NAME
identifier(granted.getName()),
// ID
"" + r.getId()
);
} else {
add(rows,
// GRANTEE
identifier(grantee.getName()),
// GRANTEETYPE
rightType,
// GRANTEDROLE
identifier(role.getName()),
// RIGHTS
"",
// TABLE_SCHEMA
"",
// TABLE_NAME
"",
// ID
"" + r.getId()
);
} }
} }
break; break;
...@@ -1277,7 +1284,7 @@ public class MetaTable extends Table { ...@@ -1277,7 +1284,7 @@ public class MetaTable extends Table {
} }
case IN_DOUBT: { case IN_DOUBT: {
ArrayList<InDoubtTransaction> prepared = database.getInDoubtTransactions(); ArrayList<InDoubtTransaction> prepared = database.getInDoubtTransactions();
if (prepared != null) { if (prepared != null && admin) {
for (InDoubtTransaction prep : prepared) { for (InDoubtTransaction prep : prepared) {
add(rows, add(rows,
// TRANSACTION // TRANSACTION
...@@ -1504,7 +1511,6 @@ public class MetaTable extends Table { ...@@ -1504,7 +1511,6 @@ public class MetaTable extends Table {
break; break;
} }
case SESSIONS: { case SESSIONS: {
boolean admin = session.getUser().isAdmin();
long now = System.currentTimeMillis(); long now = System.currentTimeMillis();
for (Session s : database.getSessions(false)) { for (Session s : database.getSessions(false)) {
if (admin || s == session) { if (admin || s == session) {
...@@ -1530,7 +1536,6 @@ public class MetaTable extends Table { ...@@ -1530,7 +1536,6 @@ public class MetaTable extends Table {
break; break;
} }
case LOCKS: { case LOCKS: {
boolean admin = session.getUser().isAdmin();
for (Session s : database.getSessions(false)) { for (Session s : database.getSessions(false)) {
if (admin || s == session) { if (admin || s == session) {
for (Table table : s.getLocks()) { for (Table table : s.getLocks()) {
......
h2/src/test/org/h2/test/db/TestRights.java
浏览文件 @ 4db22fbb
...@@ -34,6 +34,7 @@ public class TestRights extends TestBase { ...@@ -34,6 +34,7 @@ public class TestRights extends TestBase {
} }
public void test() throws SQLException { public void test() throws SQLException {
testDisallowedTables();
testDropOwnUser(); testDropOwnUser();
testGetTables(); testGetTables();
testDropTempTables(); testDropTempTables();
...@@ -43,6 +44,49 @@ public class TestRights extends TestBase { ...@@ -43,6 +44,49 @@ public class TestRights extends TestBase {
deleteDb("rights"); deleteDb("rights");
} }
private void testDisallowedTables() throws SQLException {
deleteDb("rights");
Connection conn = getConnection("rights");
stat = conn.createStatement();
stat.execute("CREATE USER IF NOT EXISTS TEST PASSWORD 'TEST'");
stat.execute("CREATE ROLE TEST_ROLE");
stat.execute("CREATE TABLE ADMIN_ONLY(ID INT)");
stat.execute("CREATE TABLE TEST(ID INT)");
stat.execute("GRANT ALL ON TEST TO TEST");
Connection conn2 = getConnection("rights", "TEST", getPassword("TEST"));
Statement stat2 = conn2.createStatement();
String sql = "select * from admin_only where 1=0";
stat.execute(sql);
try {
stat2.execute(sql);
fail();
} catch (SQLException e) {
assertEquals(ErrorCode.NOT_ENOUGH_RIGHTS_FOR_1, e.getErrorCode());
}
DatabaseMetaData meta = conn2.getMetaData();
ResultSet rs;
rs = meta.getTables(null, null, "%", new String[]{"TABLE", "VIEW", "SEQUENCE"});
assertTrue(rs.next());
assertTrue(rs.next());
assertFalse(rs.next());
for (String s : new String[] {
"information_schema.settings where name='property.java.runtime.version'",
"information_schema.users where name='SA'",
"information_schema.roles",
"information_schema.rights",
"information_schema.sessions where user_name='SA'"
}) {
rs = stat2.executeQuery("select * from " + s);
assertFalse(rs.next());
rs = stat.executeQuery("select * from " + s);
assertTrue(rs.next());
}
conn2.close();
conn.close();
}
private void testDropOwnUser() throws SQLException { private void testDropOwnUser() throws SQLException {
deleteDb("rights"); deleteDb("rights");
String user = getUser().toUpperCase(); String user = getUser().toUpperCase();
......
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论