test_views.sql
[MDEV-15934] It is possible to replace a row that is not in a view Created: 2018-04-19 Updated: 2022-01-28 |
|
| Status: | Open |
| Project: | MariaDB Server |
| Component/s: | Data Manipulation - Delete |
| Affects Version/s: | 10.2.14 |
| Fix Version/s: | 10.2 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Philippe Jean | Assignee: | Oleksandr Byelkin |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Attachments: |
test_views.sql
|
| Description |
|
I created a view with the MERGE algorithm to manage security. Everything is OK for INSERT, UPDATE and DELETE statement, the view is doing its job. For REPLACE statement, if we know the value of the primary key, it is possible to replace rows that are not visible in the view. I can not find anything in the documentation that specifies that. I joined the SQL file to create a small DB. Here is the SQL query to use to replace row. Is this normal? I think the view should be doing filter job here ... Thank you |
| Comments |
| Comment by Alice Sherepa [ 2018-04-20 ] | |||||||||||||||||||
|
view was created as "WHERE test.Account = 1", so :
and after "DELETE FROM view_test WHERE PrimKey = 2;" row with (2,1,BBB) will be deleted | |||||||||||||||||||
| Comment by Philippe Jean [ 2018-04-20 ] | |||||||||||||||||||
|
I'm so sorry, it's for REPLACE statement. I edited the desscription of the case and the query in the description. My problem is that a user can overwrite a row that he does not normally have access to. Thank you, | |||||||||||||||||||
| Comment by Alice Sherepa [ 2018-04-26 ] | |||||||||||||||||||
|
Thanks for the report! It looks like it is a bug, that row should not be deleted as it is not in a view (if replace=delete+insert)
|