| Subject | Weird user rights problem |
|---|---|
| Author | PenWin |
| Post date | 2006-09-11T07:03:19Z |
Hi!
I am trying to write a web frontend to some parts of my database. In order
to keep the data secure I created a new user for the database (INETUSER) and
now I am trying to give him minimal rights needed to the database. What I
decided to do is to create a few stored procedures (such as INTERNET_LOGIN
or INTERNET_SHOW_ORDER) which would handle all data access and incidentally
prevent the internet users from accessing any table (because they won't have
any right to any table, just EXECUTE on these procedures):
GRANT EXECUTE ON PROCEDURE internet_show_order TO inetuser;
GRANT EXECUTE ON PROCEDURE internet_login TO inetuser;
...
I have discovered that this is not enough and that I need to give table
rigths to those procedures, otherwise they can't access the data. Which is
sad but I can live with it:
GRANT SELECT ON customers TO PROCEDURE internet_login;
GRANT INSERT ON sessions TO PROCEDURE internet_login;
...
Now it seems to work correctly for all procedures but one. That one
procedure is building a query at runtime (it adds or removes WHERE
conditions depending on user's input) and then reads data from that query
through EXECUTE STATEMENT query INTO :field1, :field2... While the procedure
has rights to the relevant tables granted (through statements similar to
those above), it still fails with an error message "No permission for
read/select access to table PRICES". Any idea why? I suspect that execute
statement needs a special rights handling, but I have no idea which.
Thanks,
Pepak
I am trying to write a web frontend to some parts of my database. In order
to keep the data secure I created a new user for the database (INETUSER) and
now I am trying to give him minimal rights needed to the database. What I
decided to do is to create a few stored procedures (such as INTERNET_LOGIN
or INTERNET_SHOW_ORDER) which would handle all data access and incidentally
prevent the internet users from accessing any table (because they won't have
any right to any table, just EXECUTE on these procedures):
GRANT EXECUTE ON PROCEDURE internet_show_order TO inetuser;
GRANT EXECUTE ON PROCEDURE internet_login TO inetuser;
...
I have discovered that this is not enough and that I need to give table
rigths to those procedures, otherwise they can't access the data. Which is
sad but I can live with it:
GRANT SELECT ON customers TO PROCEDURE internet_login;
GRANT INSERT ON sessions TO PROCEDURE internet_login;
...
Now it seems to work correctly for all procedures but one. That one
procedure is building a query at runtime (it adds or removes WHERE
conditions depending on user's input) and then reads data from that query
through EXECUTE STATEMENT query INTO :field1, :field2... While the procedure
has rights to the relevant tables granted (through statements similar to
those above), it still fails with an error message "No permission for
read/select access to table PRICES". Any idea why? I suspect that execute
statement needs a special rights handling, but I have no idea which.
Thanks,
Pepak