fix: prevent reference creation when CREATE permission check fails#7232
fix: prevent reference creation when CREATE permission check fails#7232Victorthedev wants to merge 7 commits intosurrealdb:mainfrom
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
github-actions
Bot
added
the
community
|
Hi, thanks for the PR and the contribution! would it be possible to do the following:
and we should be good to go! |
itsezc
left a comment
itsezc
left a comment
There was a problem hiding this comment.
Need further tests, ideally for UPDATE and UPSERT with denied permissions
Hi, good afternoon! I have reverted the change in Please let me know if I need to do anything else, thank you! |
|
Hi, thanks again for the tests and changes. Just a few formatting / linting issues to clean up and run the language tests locally for one engine and look for the failing cases, let me know if you need any assistance for this |
Fixes surrealdb#7208 References were being written to the database inside process_table_fields before check_permissions_table ran. This meant that when a WHERE clause permission denied the CREATE, the reference was already persisted as a ghost reference. Fix: extract reference writing into a new process_table_references method that runs after check_permissions_table in all CREATE, UPDATE, INSERT, UPSERT and RELATE paths.
Victorthedev
force-pushed
the
fix/reference-created-on-permission-denied
branch
from
84a0cff to
2448710
Compare
Hi, thanks for the feedback! I ran the full language test suite locally on the mem engine. this branch has 9 failures, all of which are floating point precision differences that exist identically on
None of these are introduced by this PR. Happy to track them in separate issues if helpful. Regarding formatting/linting, I ran Thanks again for your time reviewing this! |
|
2 participants
Fixes #7208
References were being written to the database inside process_table_fields before check_permissions_table ran. This meant that when a WHERE clause permission denied the CREATE, the reference was already persisted as a ghost reference.
Fix: extract reference writing into a new process_table_references method that runs after check_permissions_table in all CREATE, UPDATE, INSERT, UPSERT and RELATE paths.
Added language tests to reproduce the bug and verify the fix:
with a table whose CREATE permission uses WHERE false, and a
REFERENCE field pointing to another table
record user attempts to CREATE a record and is denied, no ghost
reference is left behind on the referenced record
Thank you for submitting this pull request. We really appreciate you spending the time to work on SurrealDB. 🚀 🎉
Before proceeding, please add any of the following labels that apply:
breaking-changeif this PR includes a breaking change. This label is not needed for bug fixes, which change output in line with a user's original expectations.needs-documentationif documentation is needed to explain the change made in the PR.Modifies env vars or commandsif any changes are made to environment variables or command flags.What is the motivation?
Warning
No details provided.
What does this change do?
Warning
No details provided.
What is your testing strategy?
Warning
No details provided.
Security Considerations
Warning
No details provided.
Is this related to any issues?
Have you read the Contributing Guidelines?