Details
-
Bug
-
Resolution: Fixed
-
Major
-
5.0.0
-
None
-
Untriaged
-
No
Description
To reproduce using build Enterprise Edition 5.0.0-1965 build 1965,
- Create a bucket closed1 with a password.
- Create a user with data_read permission on this bucket: curl -X PUT http://localhost:8091/settings/rbac/users/builtin/reader1 -d "name=Reader One&roles=data_reader[closed1]&password=pwreader1" -u Administrator:password
- Using cbauth, authorize as reader1:pwreader1, and request permission
cluster.bucket[closed1].n1ql.select!execute. This permission is granted, but should not be.
Unfortunately I don't have an end-to-end reproducer. The code in the query engine that asks for statement type permissions is currently commented out, since it would break access to open (no-password) buckets. Let me know if you need a specially-build query engine, and I'll provide one.