Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed CORE-1815: Ability to grant role to another role #23

Merged
merged 2 commits into from
May 12, 2016
Merged

Fixed CORE-1815: Ability to grant role to another role #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7464c4e
Initial patch for cumulative roles
romansimakov Apr 26, 2016
7dbde67
Fixed multiple records in USER_PRIVILEGES and reworked logic on addit…
romansimakov May 12, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions doc/sql.extensions/README.cumulative_roles.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
Cumulative roles.

Implements capability to grant role to role.

Author:
Red Soft Corporation, roman.simakov(at)red-soft.biz

Syntax is:

GRANT [DEFAULT] <role name> TO [USER | ROLE] <user/role name> [WITH ADMIN OPTION];
REVOKE [DEFAULT] <role name> FROM [USER | ROLE] <user/role name> [WITH ADMIN OPTION];

Description:

Makes it possible to grant a role to user or another role.

If DEFAULT keyword is used the role will be used every time for user even if it's not specified explicitly.
While connecting user will get permissions of all roles which were granted to him with DEFAULT keyword and
permissions of all roles also granted to them with DEFAULT keyword specified.
If user specify a role in connection he will also get permissions of this role (if granted of course) and
permissions of all roles granted to it, etc.

When some user want go grant a role to another user or role ADMIN OPTION will be checked. In this case user can grant
a role cumulatively granted to him only if every role in sequence has ADMIN OPTION.

REVOKE works as usual except if DEFAULT is specified only default option will be revoked. In other words
role skill be granted but like without DEFAULT.

Let:
"->" grant without ADMIN OPTION
"=>" grant with ADMIN OPTION

Consider 3 options:
1) WORKER->MANAGER->Joe
2) WORKER->MANAGER=>Joe
3) WORKER=>MANAGER->Joe
4) WORKER=>MANAGER=>Joe

Joe can grant role MANAGER in 2 and 4 options and role WORKER only in 4 option. In 1 and 3 options Joe cannot grant
nothing even in 3 option WORKER granted to MANAGER with ADMIN OPTION.

Sample:

CREATE DATABASE 'LOCALHOST:/TMP/CUMROLES.FDB';
CREATE TABLE T(I INTEGER);
CREATE ROLE TINS;
CREATE ROLE CUMR;
GRANT INSERT ON T TO TINS;
GRANT DEFAULT TINS ROLE TO CUMR WITH ADMIN OPTION;
GRANT CUMR TO USER US WITH ADMIN OPTION;
CONNECT 'LOCALHOST:/TMP/CUMROLES.FDB' USER 'US' PASSWORD 'PAS';
INSERT INTO T VALUES (1);
GRANT TINS TO US2;
12 changes: 12 additions & 0 deletions src/common/classes/objects_array.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,12 @@ namespace Firebird
{
}

ObjectsArray(const ObjectsArray<T, A>& o)
: A()
{
add(o);
}

ObjectsArray() :
A()
{
Expand Down Expand Up @@ -436,6 +442,12 @@ namespace Firebird
ObjectCmp> >(p)
{ }

explicit SortedObjectsArray() :
ObjectsArray <ObjectValue, SortedArray<ObjectValue*,
ObjectStorage, const ObjectKey*, ObjectKeyOfValue,
ObjectCmp> >()
{ }

bool find(const ObjectKey& item, size_type& pos) const
{
const ObjectKey* const pItem = &item;
Expand Down
Loading