|Subject||RE: [firebird-support] Re: Grants query|
> Hi Alan!then why doesn't update permission give sufficient rights to update? i.e. to
> To me, it seems like a strange requirement to give someone UPDATE
> permission without SELECT permission. But given that this is the
select "enough" to update? Giving update permission should give update
permission. If update does nothing without select what's the purpose?
> situation, I can well understand why they cannot use a WHERE clausebuth without select permission, this update fails if no select permission is
> without the SELECT permission:
> Suppose Robin Hood wanted to check whether you were a suitable victim,
> but only had UPDATE rights to the Employee table. If he could update
> with a WHERE clause, he could simply do
> UPDATE Employee
> SET PK = PK
> WHERE Name = 'Alan McDonald'
> AND Salary > '50000'
> AND Debt < '30000'
> If the number of updated rows then were > 0, he would know that you
> were a wealthy man, well worth robbing.
> Hence, if you can use UPDATE with a WHERE clause, you would in many
> cases be able to guess things that you normally would need a SELECT
> permission to do (though it would be more cumbersome).
> --- In firstname.lastname@example.org, "Alan McDonald" wrote:
> > Grants logic question:
> > If I want to a user to update a specific row in a table (PK), then
> > the user must have UPDATE and SELECT permissions since you use the
> > WHERE ID=? syntax.
> > But if the user doesn't have SELECT permissions, it can update ALL
> > rows, since no WHERE clause is used. Can someone explain why table
> > wide update ability is less stringent than a single row update?
> > thanks
> > Alan