// If the Database Owner is creating this view/trigger, then no need to
// collect any privilege dependencies because the Database Owner can
// access any objects without any restrictions.
if (! currentUser.equals(dbo))
{
PermissionsDescriptor permDesc;
List<StatementPermission> requiredPermissionsList =
activation.getPreparedStatement().getRequiredPermissionsList();
if (requiredPermissionsList != null &&
! requiredPermissionsList.isEmpty())
{
for (StatementPermission statPerm : requiredPermissionsList)
{
//The schema ownership permission just needs to be checked
//at object creation time, to see if the object creator has
//permissions to create the object in the specified schema.
//But we don't need to add schema permission to list of
//permissions that the object is dependent on once it is
//created.
//Also, StatementRolePermission should not occur here.
if (statPerm instanceof StatementSchemaPermission ||
statPerm instanceof StatementRolePermission) {
if (SanityManager.DEBUG) {
if (statPerm instanceof StatementRolePermission) {
SanityManager.THROWASSERT(
"Unexpected StatementRolePermission");
}
}
continue;
}
//See if we can find the required privilege for given authorizer?
permDesc = statPerm.
getPermissionDescriptor(currentUser, dd);
if (permDesc == null)//privilege not found for given authorizer
{
//The if condition above means that required privilege does
//not exist at the user level. The privilege has to exist at
//PUBLIC level... ,
permDesc = statPerm.getPermissionDescriptor(
Authorizer.PUBLIC_AUTHORIZATION_ID, dd);
boolean roleUsed = false;
// .. or at role level
if (permDesc == null ||
((permDesc instanceof ColPermsDescriptor) &&
! ((StatementColumnPermission)statPerm).
allColumnsCoveredByUserOrPUBLIC(
currentUser, dd)) ) {
roleUsed = true;
permDesc = findRoleUsage(activation, statPerm);
}
//If the user accessing the object is the owner of that
//object, then no privilege tracking is needed for the
//owner.
if (! permDesc.checkOwner(currentUser) ) {
dm.addDependency(dependent, permDesc, lcc.getContextManager());
// We had to rely on role, so track that
// dependency, too.
if (roleUsed) {
trackRoleDependency
(activation, dependent, roleDepAdded);
}
}
continue;
}
//if the object on which permission is required is owned by the
//same user as the current user, then no need to keep that
//object's privilege dependency in the dependency system
if (! permDesc.checkOwner(currentUser) )
{
dm.addDependency(dependent, permDesc, lcc.getContextManager());
if (permDesc instanceof ColPermsDescriptor)
{
//For a given table, the table owner can give privileges
//on some columns at individual user level and privileges
//on some columns at PUBLIC level. Hence, when looking for
//column level privileges, we need to look both at user
//level as well as PUBLIC level(only if user level column
//privileges do not cover all the columns accessed by this
//object). We have finished adding dependency for user level
//columns, now we are checking if some required column
//level privileges are at PUBLIC level.
//A specific eg of a view
//user1
//create table t11(c11 int, c12 int);
//grant select(c11) on t1 to user2;
//grant select(c12) on t1 to PUBLIC;
//user2
//create view v1 as select c11 from user1.t11 where c12=2;
//For the view above, there are 2 column level privilege
//depencies, one for column c11 which exists directly
//for user2 and one for column c12 which exists at PUBLIC level.
StatementColumnPermission statementColumnPermission = (StatementColumnPermission) statPerm;
permDesc = statementColumnPermission.
getPUBLIClevelColPermsDescriptor(
currentUser, dd);
//Following if checks if some column level privileges
//exist only at public level. If so, then the public
//level column privilege, if any, dependency of
//view is added into dependency system.
if (permDesc != null &&
permDesc.getObjectID() != null) {
// User did not have all required column
// permissions and at least one column is
// covered by PUBLIC.
dm.addDependency(dependent, permDesc,
lcc.getContextManager());