Access to system tables is now more restrictive for non-admin users (the tables…

Access to system tables is now more restrictive for non-admin users (the tables can be still listed and read, but some of the data is not included).

h2/src/main/org/h2/table/MetaTable.java

@@ -624,6 +624,7 @@ public class MetaTable extends Table {
 
         ArrayList<Row> rows = New.arrayList();
         String catalog = identifier(database.getShortName());
+        boolean admin = session.getUser().isAdmin();
         switch (type) {
         case TABLES: {
             for (Table table : getAllTables(session)) {
@@ -851,7 +852,7 @@ public class MetaTable extends Table {
             add(rows, "info.VERSION_MAJOR", "" + Constants.VERSION_MAJOR);
             add(rows, "info.VERSION_MINOR", "" + Constants.VERSION_MINOR);
             add(rows, "info.VERSION", "" + Constants.getFullVersion());
-            if (session.getUser().isAdmin()) {
+            if (admin) {
                 String[] settings = {
                         "java.runtime.version",
                         "java.vm.name", "java.vendor",
@@ -983,6 +984,7 @@ public class MetaTable extends Table {
         }
         case USERS: {
             for (User u : database.getAllUsers()) {
+                if (admin || session.getUser() == u) {
                     add(rows,
                             // NAME
                             identifier(u.getName()),
@@ -994,10 +996,12 @@ public class MetaTable extends Table {
                             "" + u.getId()
                     );
                 }
+            }
             break;
         }
         case ROLES: {
             for (Role r : database.getAllRoles()) {
+                if (admin || session.getUser().isRoleGranted(r)) {
                     add(rows,
                             // NAME
                             identifier(r.getName()),
@@ -1007,9 +1011,11 @@ public class MetaTable extends Table {
                             "" + r.getId()
                     );
                 }
+            }
             break;
         }
         case RIGHTS: {
+            if (admin) {
                 for (Right r : database.getAllRights()) {
                     Role role = r.getGrantedRole();
                     DbObject grantee = r.getGrantee();
@@ -1055,6 +1061,7 @@ public class MetaTable extends Table {
                         );
                     }
                 }
+            }
             break;
         }
         case FUNCTION_ALIASES: {
@@ -1277,7 +1284,7 @@ public class MetaTable extends Table {
         }
         case IN_DOUBT: {
             ArrayList<InDoubtTransaction> prepared = database.getInDoubtTransactions();
-            if (prepared != null) {
+            if (prepared != null && admin) {
                 for (InDoubtTransaction prep : prepared) {
                     add(rows,
                             // TRANSACTION
@@ -1504,7 +1511,6 @@ public class MetaTable extends Table {
             break;
         }
         case SESSIONS: {
-            boolean admin = session.getUser().isAdmin();
             long now = System.currentTimeMillis();
             for (Session s : database.getSessions(false)) {
                 if (admin || s == session) {
@@ -1530,7 +1536,6 @@ public class MetaTable extends Table {
             break;
         }
         case LOCKS: {
-            boolean admin = session.getUser().isAdmin();
             for (Session s : database.getSessions(false)) {
                 if (admin || s == session) {
                     for (Table table : s.getLocks()) {

h2/src/test/org/h2/test/db/TestRights.java

@@ -34,6 +34,7 @@ public class TestRights extends TestBase {
     }
 
     public void test() throws SQLException {
+        testDisallowedTables();
         testDropOwnUser();
         testGetTables();
         testDropTempTables();
@@ -43,6 +44,49 @@ public class TestRights extends TestBase {
         deleteDb("rights");
     }
 
+    private void testDisallowedTables() throws SQLException {
+        deleteDb("rights");
+        Connection conn = getConnection("rights");
+        stat = conn.createStatement();
+
+        stat.execute("CREATE USER IF NOT EXISTS TEST PASSWORD 'TEST'");
+        stat.execute("CREATE ROLE TEST_ROLE");
+        stat.execute("CREATE TABLE ADMIN_ONLY(ID INT)");
+        stat.execute("CREATE TABLE TEST(ID INT)");
+        stat.execute("GRANT ALL ON TEST TO TEST");
+        Connection conn2 = getConnection("rights", "TEST", getPassword("TEST"));
+        Statement stat2 = conn2.createStatement();
+
+        String sql = "select * from admin_only where 1=0";
+        stat.execute(sql);
+        try {
+            stat2.execute(sql);
+            fail();
+        } catch (SQLException e) {
+            assertEquals(ErrorCode.NOT_ENOUGH_RIGHTS_FOR_1, e.getErrorCode());
+        }
+
+        DatabaseMetaData meta = conn2.getMetaData();
+        ResultSet rs;
+        rs = meta.getTables(null, null, "%", new String[]{"TABLE", "VIEW", "SEQUENCE"});
+        assertTrue(rs.next());
+        assertTrue(rs.next());
+        assertFalse(rs.next());
+        for (String s : new String[] {
+                "information_schema.settings where name='property.java.runtime.version'",
+                "information_schema.users where name='SA'",
+                "information_schema.roles",
+                "information_schema.rights",
+                "information_schema.sessions where user_name='SA'"
+                }) {
+            rs = stat2.executeQuery("select * from " + s);
+            assertFalse(rs.next());
+            rs = stat.executeQuery("select * from " + s);
+            assertTrue(rs.next());
+        }
+        conn2.close();
+        conn.close();
+    }
     private void testDropOwnUser() throws SQLException {
         deleteDb("rights");
         String user = getUser().toUpperCase();