From 2d316612e0665e0630e30ee228d87a49cf9ce8ec Mon Sep 17 00:00:00 2001 From: August Date: Fri, 17 Jan 2025 17:43:22 +0800 Subject: [PATCH] fix: add privilege check for drop user (#20199) --- src/frontend/src/handler/drop_database.rs | 7 +++-- src/frontend/src/handler/drop_user.rs | 38 ++++++++++++++++++++--- 2 files changed, 38 insertions(+), 7 deletions(-) diff --git a/src/frontend/src/handler/drop_database.rs b/src/frontend/src/handler/drop_database.rs index 490ead2ebe2b8..ae5fab5443049 100644 --- a/src/frontend/src/handler/drop_database.rs +++ b/src/frontend/src/handler/drop_database.rs @@ -30,9 +30,10 @@ pub async fn handle_drop_database( let catalog_reader = session.env().catalog_reader(); let database_name = Binder::resolve_database_name(database_name)?; if session.database() == database_name { - return Err( - ErrorCode::InternalError("cannot drop the currently open database".to_owned()).into(), - ); + return Err(ErrorCode::PermissionDenied( + "cannot drop the currently open database".to_owned(), + ) + .into()); } if mode.is_some() { return Err(ErrorCode::BindError("Drop database not support drop mode".to_owned()).into()); diff --git a/src/frontend/src/handler/drop_user.rs b/src/frontend/src/handler/drop_user.rs index b18d397a73f5d..f2d89f6b5fa61 100644 --- a/src/frontend/src/handler/drop_user.rs +++ b/src/frontend/src/handler/drop_user.rs @@ -34,12 +34,42 @@ pub async fn handle_drop_user( let user_name = Binder::resolve_user_name(user_name)?; let user_info_reader = session.env().user_info_reader(); - let user_id = user_info_reader + let user_info = user_info_reader .read_guard() .get_user_by_name(&user_name) - .map(|u| u.id); - match user_id { - Some(user_id) => { + .map(|u| (u.id, u.is_super)); + match user_info { + Some((user_id, is_super)) => { + if session.user_id() == user_id { + return Err(ErrorCode::PermissionDenied( + "current user cannot be dropped".to_owned(), + ) + .into()); + } + if let Some(current_user) = user_info_reader + .read_guard() + .get_user_by_name(&session.user_name()) + { + if !current_user.is_super { + if is_super { + return Err(ErrorCode::PermissionDenied( + "must be superuser to drop superusers".to_owned(), + ) + .into()); + } + if !current_user.can_create_user { + return Err(ErrorCode::PermissionDenied( + "permission denied to drop user".to_owned(), + ) + .into()); + } + } + } else { + return Err( + ErrorCode::PermissionDenied("Session user is invalid".to_owned()).into(), + ); + } + let user_info_writer = session.user_info_writer()?; user_info_writer.drop_user(user_id).await?; }