Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Real Application Security - how can application check if user has privileges on a table without know

AndyHMay 12 2020 — edited May 13 2020

Hi,

I'm prototyping the use of RAS in an APEX application (using RAS external users)

The assumption is that the APEX developers have limited knowledge of how RAS  was implemented e.g. they would only know about dynamic roles and their assignment to users.

Generally this is OK as we can code up authorization checks against the various tables to see of the current use has privileges on the table e.g. using a 'where exists' authorization

SELECT NULL
FROM   dual
WHERE  1 = (SELECT ora_check_acl(ora_get_aclids(p
                                               ,'update')
                                ,'update')
            FROM   pipes p
            WHERE  rownum < 2)

would return a row if the user has 'update' privileges on the PIPES table.

However, if the user has *no* ACL  access to the PIPES table the above check fails with a ORA-00942 'table does not exist' error.

How can I code the authorization so that I can see if the user has the required table access when they may in fact have no access?

Thanks,

--

Andy

Comments

User_J188U

Reposted to the appropriate category now: https://community.oracle.com/tech/developers/discussion/4497048/oracle-bug-that-might-be-fixed-in-newer-version

Christian.Shay -Oracle

XE is not patched (and it would be a long time before the next major release). Can you use some other edition?

User_J188U

I can't run another edition and this is just a synthetic test, but I wanted to report the issue.

Answer

I am able to reproduce this on Windows as well, so I will see if there is a bug filed already and if not, I will file one.

Marked as Answer by User_J188U · Apr 11 2022
User_J188U

Thanks!

1 - 5

Post Details

Added on May 12 2020
#database-security, #database-security-general
2 comments
627 views