API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 11th, 2016
141
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.44 KB | None | 0 0
raw download clone embed print report
  1. USE your_db;
  2. GO
  3. CREATE USER username FROM LOGIN username;
  4. GO
  5. GRANT SELECT ON dbo.MyViewName TO username;
  6. GO
  7.  
  8. CREATE DATABASE unrelated_db;
  9. GO
  10. USE unrelated_db;
  11. GO
  12. CREATE TABLE dbo.foo(bar INT);
  13. GO
  14.  
  15. USE [master];
  16. GO
  17. CREATE LOGIN username WITH PASSWORD='foo', CHECK_POLICY = OFF;
  18. GO
  19.  
  20. CREATE DATABASE velojason;
  21. GO
  22. USE velojason;
  23. GO
  24. CREATE USER username FROM LOGIN username;
  25. GO
  26.  
  27. CREATE FUNCTION dbo.checkbar()
  28. RETURNS INT
  29. AS
  30. BEGIN
  31. RETURN
  32. (
  33. SELECT TOP (1) bar
  34. FROM unrelated_db.dbo.foo
  35. ORDER BY bar
  36. );
  37. END
  38. GO
  39. CREATE SYNONYM dbo.foo FOR unrelated_db.dbo.foo;
  40. GO
  41.  
  42. CREATE TABLE dbo.PaymentDetails
  43. (
  44. PaymentID INT
  45. );
  46. GO
  47.  
  48. CREATE VIEW dbo.SomeView
  49. AS
  50. SELECT
  51. p.PaymentID,
  52. x = dbo.checkbar(), -- function that pulls from other DB
  53. y = (SELECT bar FROM dbo.foo) -- synonym to other DB
  54. FROM dbo.PaymentDetails AS p;
  55. GO
  56. GRANT SELECT ON dbo.SomeView TO username;
  57. GO
  58.  
  59. EXECUTE AS USER = 'username';
  60. GO
  61. -- even though I don't reference any of the columns
  62. -- in the other DB, I am denied SELECT on the view:
  63. SELECT PaymentID FROM dbo.SomeView;
  64. GO
  65. REVERT;
  66. GO
  67.  
  68. ALTER VIEW dbo.SomeView
  69. AS
  70. SELECT
  71. p.PaymentID
  72. --x = dbo.checkbar(),
  73. --y = (SELECT bar FROM dbo.foo)
  74. FROM dbo.PaymentDetails AS p;
  75. GO
  76.  
  77. DECLARE
  78. @dbname SYSNAME = N'unrelated_db',
  79. @viewname SYSNAME = N'dbo.SomeView';
  80.  
  81. SELECT DISTINCT
  82. [This object] =
  83. OBJECT_SCHEMA_NAME([referencing_id])
  84. + '.' + OBJECT_NAME([referencing_id]),
  85. [references this object] =
  86. OBJECT_SCHEMA_NAME([referenced_id])
  87. + '.' + OBJECT_NAME([referenced_id]),
  88. [and touches this database] = referenced_database_name,
  89. [and is a(n)] = o.type_desc,
  90. [if synonym, it references] = s.base_object_name
  91. FROM sys.sql_expression_dependencies AS d
  92. LEFT OUTER JOIN sys.objects AS o
  93. ON o.[object_id] = d.referenced_id
  94. LEFT OUTER JOIN sys.synonyms AS s
  95. ON d.referenced_id = s.[object_id]
  96. AND s.base_object_name LIKE '%[' + @dbname + ']%'
  97. WHERE OBJECT_ID(@viewname) IN (
  98. referenced_id,
  99. referencing_id,
  100. (SELECT referencing_id FROM sys.sql_expression_dependencies
  101. WHERE referenced_database_name = @dbname)
  102. ) OR referenced_database_name = @dbname;
  103.  
  104. create login YourTpvLogin with password = 'enter new password here'
  105. go
  106.  
  107. use SomeDb
  108. go
  109.  
  110. create user YourTpvUser for login YourTpvLogin
  111. go
  112.  
  113. grant select on YourView to YourTpvUser
  114. go
  115.  
  116. execute as user = 'YourTpvUser'
  117. go
  118.  
  119. select *
  120. from YourView
  121.  
  122. revert
  123. go
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!