When inserting a row into a child table, invoke the authorization callback to request permission to read the parent key columns.

FossilOrigin-Name: 9842f2d5f606eb8f641ecae9fbc5368b8d7e4286
2025-08-08 14:02:16 +03:00 · 2009-10-02 14:23:41 +00:00
parent 1316700e54
commit 47a06346ff
6 changed files with 120 additions and 29 deletions
--- a/src/auth.c
+++ b/src/auth.c
@@ -91,6 +91,41 @@ static void sqliteAuthBadReturnCode(Parse *pParse){
  pParse->rc = SQLITE_ERROR;
 }

+/*
+** Invoke the authorization callback for permission to read column zCol from
+** table zTab in database zDb. This function assumes that an authorization
+** callback has been registered (i.e. that sqlite3.xAuth is not NULL).
+**
+** If SQLITE_IGNORE is returned and pExpr is not NULL, then pExpr is changed
+** to an SQL NULL expression. Otherwise, if pExpr is NULL, then SQLITE_IGNORE
+** is treated as SQLITE_DENY. In this case an error is left in pParse.
+*/
+void sqlite3AuthReadCol(
+  Parse *pParse,                  /* The parser context */
+  const char *zTab,               /* Table name */
+  const char *zCol,               /* Column name */
+  int iDb,                        /* Index of containing database. */
+  Expr *pExpr                     /* Optional expression */
+){
+  sqlite3 *db = pParse->db;       /* Database handle */
+  char *zDb = db->aDb[iDb].zName; /* Name of attached database */
+  int rc;                         /* Auth callback return code */
+
+  rc = db->xAuth(db->pAuthArg, SQLITE_READ, zTab,zCol,zDb,pParse->zAuthContext);
+  if( rc!=SQLITE_IGNORE && rc!=SQLITE_DENY && rc!=SQLITE_OK ){
+    sqliteAuthBadReturnCode(pParse);
+  }else if( rc==SQLITE_IGNORE && pExpr ){
+    pExpr->op = TK_NULL;
+  }else if( rc!=SQLITE_OK ){
+    if( db->nDb>2 || iDb!=0 ){
+      sqlite3ErrorMsg(pParse, "access to %s.%s.%s is prohibited",zDb,zTab,zCol);
+    }else{
+      sqlite3ErrorMsg(pParse, "access to %s.%s is prohibited", zTab, zCol);
+    }
+    pParse->rc = SQLITE_AUTH;
+  }
+}
+
 /*
 ** The pExpr should be a TK_COLUMN expression.  The table referred to
 ** is in pTabList or else it is the NEW or OLD table of a trigger.  
@@ -107,11 +142,9 @@ void sqlite3AuthRead(
  SrcList *pTabList     /* All table that pExpr might refer to */
 ){
  sqlite3 *db = pParse->db;
-  int rc;
  Table *pTab = 0;      /* The table being read */
  const char *zCol;     /* Name of the column of the table */
  int iSrc;             /* Index in pTabList->a[] of table being read */
-  const char *zDBase;   /* Name of database being accessed */
  int iDb;              /* The index of the database the expression refers to */
  int iCol;             /* Index of column in table */

@@ -148,22 +181,7 @@ void sqlite3AuthRead(
    zCol = "ROWID";
  }
  assert( iDb>=0 && iDb<db->nDb );
-  zDBase = db->aDb[iDb].zName;
-  rc = db->xAuth(db->pAuthArg, SQLITE_READ, pTab->zName, zCol, zDBase, 
-                 pParse->zAuthContext);
-  if( rc==SQLITE_IGNORE ){
-    pExpr->op = TK_NULL;
-  }else if( rc==SQLITE_DENY ){
-    if( db->nDb>2 || iDb!=0 ){
-      sqlite3ErrorMsg(pParse, "access to %s.%s.%s is prohibited", 
-         zDBase, pTab->zName, zCol);
-    }else{
-      sqlite3ErrorMsg(pParse, "access to %s.%s is prohibited",pTab->zName,zCol);
-    }
-    pParse->rc = SQLITE_AUTH;
-  }else if( rc!=SQLITE_OK ){
-    sqliteAuthBadReturnCode(pParse);
-  }
+  sqlite3AuthReadCol(pParse, pTab->zName, zCol, iDb, pExpr);
 }

 /*