MonetDB: Aug2024 - Use proper sqlid to decide which sessions row...

Fri, 12 Jul 2024 03:31:20 -0700 

Changeset: f6c052f76604 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/f6c052f76604
Modified Files:
        sql/backends/monet5/sql.c
Branch: Aug2024
Log Message:

Use proper sqlid to decide which sessions rows to show


diffs (45 lines):

diff --git a/sql/backends/monet5/sql.c b/sql/backends/monet5/sql.c
--- a/sql/backends/monet5/sql.c
+++ b/sql/backends/monet5/sql.c
@@ -37,6 +37,7 @@
 #include "mal_resolve.h"
 #include "mal_client.h"
 #include "mal_interpreter.h"
+#include "mal_scenario.h"
 #include "mal_profiler.h"
 #include "bat5.h"
 #include "opt_pipes.h"
@@ -3563,6 +3564,9 @@ sql_sessions_wrap(Client cntxt, MalBlkPt
        bat *clientpidId = getArgReference_bat(stk, pci, 14);
        bat *remarkId = getArgReference_bat(stk, pci, 15);
        Client c;
+       backend *be;
+       sqlid user_id;
+       sqlid role_id;
        bool admin;
        timestamp ts;
        lng pid;
@@ -3615,14 +3619,21 @@ sql_sessions_wrap(Client cntxt, MalBlkPt
                throw(SQL, "sql.sessions", SQLSTATE(HY013) MAL_MALLOC_FAIL);
        }
 
-       admin = strcmp(cntxt->username, "monetdb") == 0;
+       be = cntxt->sqlcontext;
+       user_id = be->mvc->user_id;
+       role_id = be->mvc->role_id;
+       admin = user_id == USER_MONETDB || role_id == ROLE_SYSADMIN;
 
        MT_lock_set(&mal_contextLock);
        for (c = mal_clients; c < mal_clients + MAL_MAXCLIENTS; c++) {
                if (c->mode != RUNCLIENT)
                        continue;
 
-               bool allowed_to_see = admin || c == cntxt || 
strcmp(c->username, cntxt->username) == 0;
+               backend *their_be = c->sqlcontext;
+               bool allowed_to_see = admin || c == cntxt ||  
their_be->mvc->user_id == user_id;
+               // Note that their role_id is not checked. Just because we have
+               // both been granted a ROLE does not mean you are allowed to see
+               // my private details.
                if (!allowed_to_see)
                        continue;
 
_______________________________________________
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org

Reply via email to