| Subject | Rights confusion with stored procedures and triggers |
|---|---|
| Author | PenWin |
| Post date | 2010-05-17T09:33Z |
Hi!
I have a database owned by user LOCAL. That user can do everything
without any problems.
I also have a web interface to some parts of my database. The interface
is written in PHP and accesses the database through user INTERNET. This
user does not have any SELECT, INSERT, UPDATE or DELETE access to any
table; it only has an EXECUTE access to some pre-defined procedures,
such as INTERNET_LIST_ROWS or INTERNET_INSERT_ROW, and these procedures
are granted the relevant rights to their respective tables. E.g.
GRANT EXECUTE ON PROCEDURE INTERNET_INSERT_ROW TO INTERNET;
GRANT SELECT, INSERT ON SOMETABLE TO PROCEDURE INTERNET_INSERT_ROW;
This has been working without any issues for some time, until I updated
the database with some logging triggers. The sequence that used to work was:
1) User INTERNET calls procedure INTERNET_INSERT_ROW.
2) Procedure INTERNET_INSERT_ROW validates data and writes it to SOMETABLE.
Now with the loggins tables, I have this sequence:
1) User INTERNET calls procedure INTERNET_INSERT_ROW.
2) Procedure INTERNET_INSERT_ROW validates data and writes it to SOMETABLE.
3) AFTER INSERT trigger LOGTRIGGER_SOMETABLE fires.
4) LOGTRIGGER_SOMETABLE writes the new record from SOMETABLE to LOGTABLE.
Unfortunately, at step #4 I am getting an error no permission for
insert/write access to TABLE LOGTABLE, and after a number of failed
attempts, I am at a loss what to do. I tried granting INSERT ON LOGTABLE
to either INTERNET (the user) or INTERNET_INSERT_ROW (the procedure that
does the inserting), but unfortunately it didn't change anything. The
only "solution" that works seems to be accessing the database through
user LOCAL, but I am not at all happy with it.
I am using Firebird 1.5 on Windows, if it matters.
Thanks for any pointers,
Pepak
I have a database owned by user LOCAL. That user can do everything
without any problems.
I also have a web interface to some parts of my database. The interface
is written in PHP and accesses the database through user INTERNET. This
user does not have any SELECT, INSERT, UPDATE or DELETE access to any
table; it only has an EXECUTE access to some pre-defined procedures,
such as INTERNET_LIST_ROWS or INTERNET_INSERT_ROW, and these procedures
are granted the relevant rights to their respective tables. E.g.
GRANT EXECUTE ON PROCEDURE INTERNET_INSERT_ROW TO INTERNET;
GRANT SELECT, INSERT ON SOMETABLE TO PROCEDURE INTERNET_INSERT_ROW;
This has been working without any issues for some time, until I updated
the database with some logging triggers. The sequence that used to work was:
1) User INTERNET calls procedure INTERNET_INSERT_ROW.
2) Procedure INTERNET_INSERT_ROW validates data and writes it to SOMETABLE.
Now with the loggins tables, I have this sequence:
1) User INTERNET calls procedure INTERNET_INSERT_ROW.
2) Procedure INTERNET_INSERT_ROW validates data and writes it to SOMETABLE.
3) AFTER INSERT trigger LOGTRIGGER_SOMETABLE fires.
4) LOGTRIGGER_SOMETABLE writes the new record from SOMETABLE to LOGTABLE.
Unfortunately, at step #4 I am getting an error no permission for
insert/write access to TABLE LOGTABLE, and after a number of failed
attempts, I am at a loss what to do. I tried granting INSERT ON LOGTABLE
to either INTERNET (the user) or INTERNET_INSERT_ROW (the procedure that
does the inserting), but unfortunately it didn't change anything. The
only "solution" that works seems to be accessing the database through
user LOCAL, but I am not at all happy with it.
I am using Firebird 1.5 on Windows, if it matters.
Thanks for any pointers,
Pepak