diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:07:11 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 14:07:11 +0000 |
commit | 63847496f14c813a5d80efd5b7de0f1294ffe1e3 (patch) | |
tree | 01c7571c7c762ceee70638549a99834fdd7c411b /test/auth.test | |
parent | Initial commit. (diff) | |
download | sqlite3-63847496f14c813a5d80efd5b7de0f1294ffe1e3.tar.xz sqlite3-63847496f14c813a5d80efd5b7de0f1294ffe1e3.zip |
Adding upstream version 3.45.1.upstream/3.45.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/auth.test')
-rw-r--r-- | test/auth.test | 2678 |
1 files changed, 2678 insertions, 0 deletions
diff --git a/test/auth.test b/test/auth.test new file mode 100644 index 0000000..1d56f70 --- /dev/null +++ b/test/auth.test @@ -0,0 +1,2678 @@ +# 2003 April 4 +# +# The author disclaims copyright to this source code. In place of +# a legal notice, here is a blessing: +# +# May you do good and not evil. +# May you find forgiveness for yourself and forgive others. +# May you share freely, never taking more than you give. +# +#*********************************************************************** +# This file implements regression tests for SQLite library. The +# focus of this script is testing the sqlite3_set_authorizer() API +# and related functionality. +# +# $Id: auth.test,v 1.46 2009/07/02 18:40:35 danielk1977 Exp $ +# + +set testdir [file dirname $argv0] +source $testdir/tester.tcl + +# disable this test if the SQLITE_OMIT_AUTHORIZATION macro is +# defined during compilation. +if {[catch {db auth {}} msg]} { + finish_test + return +} + +rename proc proc_real +proc_real proc {name arguments script} { + proc_real $name $arguments $script + if {$name=="auth"} { + db authorizer ::auth + } +} + +do_test auth-1.1.1 { + db close + set ::DB [sqlite3 db test.db] + proc authx {code arg1 arg2 arg3 arg4 args} {return SQLITE_DENY} + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + db authorizer ::authx + # EVIDENCE-OF: R-03993-24285 Only a single authorizer can be in place on + # a database connection at a time. Each call to sqlite3_set_authorizer + # overrides the previous call. + # + # The authx authorizer above is overridden by the auth authorizer below + # authx is never invoked. + db authorizer ::auth + catchsql {CREATE TABLE t1(a,b,c)} +} {1 {not authorized}} +do_test auth-1.1.2 { + db errorcode +} {23} +do_test auth-1.1.3 { + db authorizer +} {::auth} +do_test auth-1.1.4 { + # Ticket #896. + catchsql { + SELECT x; + } +} {1 {no such column: x}} +do_test auth-1.2 { + execsql {SELECT name FROM sqlite_master} +} {} +# EVIDENCE-OF: R-04452-49349 When the callback returns SQLITE_DENY, the +# sqlite3_prepare_v2() or equivalent call that triggered the authorizer +# will fail with an error message explaining that access is denied. +do_test auth-1.3.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE TABLE t1(a,b,c)} +} {1 {not authorized}} +do_test auth-1.3.2 { + db errorcode +} {23} +do_test auth-1.3.3 { + set ::authargs +} {t1 {} main {}} +do_test auth-1.4 { + execsql {SELECT name FROM sqlite_master} +} {} + +ifcapable tempdb { + do_test auth-1.5 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE TEMP TABLE t1(a,b,c)} + } {1 {not authorized}} + do_test auth-1.6 { + execsql {SELECT name FROM temp.sqlite_master} + } {} + do_test auth-1.7.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE TEMP TABLE t1(a,b,c)} + } {1 {not authorized}} + do_test auth-1.7.2 { + set ::authargs + } {t1 {} temp {}} + do_test auth-1.8 { + execsql {SELECT name FROM sqlite_temp_master} + } {} +} + +do_test auth-1.9 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE TABLE t1(a,b,c)} +} {0 {}} +do_test auth-1.10 { + execsql {SELECT name FROM sqlite_master} +} {} +do_test auth-1.11 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE TABLE t1(a,b,c)} +} {0 {}} +do_test auth-1.12 { + execsql {SELECT name FROM sqlite_master} +} {} + +ifcapable tempdb { + do_test auth-1.13 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE TEMP TABLE t1(a,b,c)} + } {0 {}} + do_test auth-1.14 { + execsql {SELECT name FROM temp.sqlite_master} + } {} + do_test auth-1.15 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE TEMP TABLE t1(a,b,c)} + } {0 {}} + do_test auth-1.16 { + execsql {SELECT name FROM sqlite_temp_master} + } {} + + do_test auth-1.17 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE TEMP TABLE t1(a,b,c)} + } {0 {}} + do_test auth-1.18 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} +} + +do_test auth-1.19.1 { + set ::authargs {} + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE TABLE t2(a,b,c)} +} {0 {}} +do_test auth-1.19.2 { + set ::authargs +} {} +do_test auth-1.20 { + execsql {SELECT name FROM sqlite_master} +} {t2} + +do_test auth-1.21.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TABLE t2} +} {1 {not authorized}} +do_test auth-1.21.2 { + set ::authargs +} {t2 {} main {}} +do_test auth-1.22 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.23.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TABLE t2} +} {0 {}} +do_test auth-1.23.2 { + set ::authargs +} {t2 {} main {}} +do_test auth-1.24 { + execsql {SELECT name FROM sqlite_master} +} {t2} + +ifcapable tempdb { + do_test auth-1.25 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TABLE t1} + } {1 {not authorized}} + do_test auth-1.26 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.27 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TABLE t1} + } {0 {}} + do_test auth-1.28 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} +} + +do_test auth-1.29 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="t2"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {INSERT INTO t2 VALUES(1,2,3)} +} {1 {not authorized}} +do_test auth-1.30 { + execsql {SELECT * FROM t2} +} {} +do_test auth-1.31 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="t2"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {INSERT INTO t2 VALUES(1,2,3)} +} {0 {}} +do_test auth-1.32 { + execsql {SELECT * FROM t2} +} {} +do_test auth-1.33 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="t1"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {INSERT INTO t2 VALUES(1,2,3)} +} {0 {}} +do_test auth-1.34 { + execsql {SELECT * FROM t2} +} {1 2 3} + +do_test auth-1.35.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2} +} {1 {access to t2.b is prohibited}} +ifcapable attach { + do_test auth-1.35.2 { + execsql {ATTACH DATABASE 'test.db' AS two} + catchsql {SELECT * FROM two.t2} + } {1 {access to two.t2.b is prohibited}} + execsql {DETACH DATABASE two} +} +# EVIDENCE-OF: R-38392-49970 If the action code is SQLITE_READ and the +# callback returns SQLITE_IGNORE then the prepared statement statement +# is constructed to substitute a NULL value in place of the table column +# that would have been read if SQLITE_OK had been returned. +do_test auth-1.36 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2} +} {0 {1 {} 3}} +do_test auth-1.37 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2 WHERE b=2} +} {0 {}} +do_test auth-1.38 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="a"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2 WHERE b=2} +} {0 {{} 2 3}} +do_test auth-1.39 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2 WHERE b IS NULL} +} {0 {1 {} 3}} +do_test auth-1.40 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {SELECT a,c FROM t2 WHERE b IS NULL} +} {1 {access to t2.b is prohibited}} + +do_test auth-1.41 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_UPDATE" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {UPDATE t2 SET a=11} +} {0 {}} +do_test auth-1.42 { + execsql {SELECT * FROM t2} +} {11 2 3} +do_test auth-1.43 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_UPDATE" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {UPDATE t2 SET b=22, c=33} +} {1 {not authorized}} +do_test auth-1.44 { + execsql {SELECT * FROM t2} +} {11 2 3} +do_test auth-1.45 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_UPDATE" && $arg1=="t2" && $arg2=="b"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {UPDATE t2 SET b=22, c=33} +} {0 {}} +do_test auth-1.46 { + execsql {SELECT * FROM t2} +} {11 2 33} + +do_test auth-1.47 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="t2"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DELETE FROM t2 WHERE a=11} +} {1 {not authorized}} +do_test auth-1.48 { + execsql {SELECT * FROM t2} +} {11 2 33} +do_test auth-1.49 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="t2"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DELETE FROM t2 WHERE a=11} +} {0 {}} +do_test auth-1.50 { + execsql {SELECT * FROM t2} +} {} +do_test auth-1.50.2 { + execsql {INSERT INTO t2 VALUES(11, 2, 33)} +} {} + +do_test auth-1.51 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_SELECT"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2} +} {1 {not authorized}} +do_test auth-1.52 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_SELECT"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2} +} {0 {}} +do_test auth-1.53 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_SELECT"} { + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2} +} {0 {11 2 33}} + +# Update for version 3: There used to be a handful of test here that +# tested the authorisation callback with the COPY command. The following +# test makes the same database modifications as they used to. +do_test auth-1.54 { + execsql {INSERT INTO t2 VALUES(7, 8, 9);} +} {} +do_test auth-1.55 { + execsql {SELECT * FROM t2} +} {11 2 33 7 8 9} + +do_test auth-1.63 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TABLE t2} +} {1 {not authorized}} +do_test auth-1.64 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.65 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="t2"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TABLE t2} +} {1 {not authorized}} +do_test auth-1.66 { + execsql {SELECT name FROM sqlite_master} +} {t2} + +ifcapable tempdb { + do_test auth-1.67 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TABLE t1} + } {1 {not authorized}} + do_test auth-1.68 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.69 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="t1"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TABLE t1} + } {1 {not authorized}} + do_test auth-1.70 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} +} + +do_test auth-1.71 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TABLE t2} +} {0 {}} +do_test auth-1.72 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.73 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="t2"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TABLE t2} +} {0 {}} +do_test auth-1.74 { + execsql {SELECT name FROM sqlite_master} +} {t2} + +ifcapable tempdb { + do_test auth-1.75 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TABLE t1} + } {0 {}} + do_test auth-1.76 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.77 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="t1"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TABLE t1} + } {0 {}} + do_test auth-1.78 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1} +} + +# Test cases auth-1.79 to auth-1.124 test creating and dropping views. +# Omit these if the library was compiled with views omitted. +ifcapable view { +do_test auth-1.79 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE VIEW v1 AS SELECT a+1,b+1 FROM t2} +} {1 {not authorized}} +do_test auth-1.80 { + set ::authargs +} {v1 {} main {}} +do_test auth-1.81 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.82 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE VIEW v1 AS SELECT a+1,b+1 FROM t2} +} {0 {}} +do_test auth-1.83 { + set ::authargs +} {v1 {} main {}} +do_test auth-1.84 { + execsql {SELECT name FROM sqlite_master} +} {t2} + +ifcapable tempdb { + do_test auth-1.85 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE TEMPORARY VIEW v1 AS SELECT a+1,b+1 FROM t2} + } {1 {not authorized}} + do_test auth-1.86 { + set ::authargs + } {v1 {} temp {}} + do_test auth-1.87 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.88 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE TEMPORARY VIEW v1 AS SELECT a+1,b+1 FROM t2} + } {0 {}} + do_test auth-1.89 { + set ::authargs + } {v1 {} temp {}} + do_test auth-1.90 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1} +} + +do_test auth-1.91 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE VIEW v1 AS SELECT a+1,b+1 FROM t2} +} {1 {not authorized}} +do_test auth-1.92 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.93 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE VIEW v1 AS SELECT a+1,b+1 FROM t2} +} {0 {}} +do_test auth-1.94 { + execsql {SELECT name FROM sqlite_master} +} {t2} + +ifcapable tempdb { + do_test auth-1.95 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE TEMPORARY VIEW v1 AS SELECT a+1,b+1 FROM t2} + } {1 {not authorized}} + do_test auth-1.96 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.97 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE TEMPORARY VIEW v1 AS SELECT a+1,b+1 FROM t2} + } {0 {}} + do_test auth-1.98 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} +} + +do_test auth-1.99 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + CREATE VIEW v2 AS SELECT a+1,b+1 FROM t2; + DROP VIEW v2 + } +} {1 {not authorized}} +do_test auth-1.100 { + execsql {SELECT name FROM sqlite_master} +} {t2 v2} +do_test auth-1.101 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP VIEW v2} +} {1 {not authorized}} +do_test auth-1.102 { + set ::authargs +} {v2 {} main {}} +do_test auth-1.103 { + execsql {SELECT name FROM sqlite_master} +} {t2 v2} +do_test auth-1.104 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP VIEW v2} +} {0 {}} +do_test auth-1.105 { + execsql {SELECT name FROM sqlite_master} +} {t2 v2} +do_test auth-1.106 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP VIEW v2} +} {0 {}} +do_test auth-1.107 { + set ::authargs +} {v2 {} main {}} +do_test auth-1.108 { + execsql {SELECT name FROM sqlite_master} +} {t2 v2} +do_test auth-1.109 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {DROP VIEW v2} +} {0 {}} +do_test auth-1.110 { + set ::authargs +} {v2 {} main {}} +do_test auth-1.111 { + execsql {SELECT name FROM sqlite_master} +} {t2} + + +ifcapable tempdb { + do_test auth-1.112 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + CREATE TEMP VIEW v1 AS SELECT a+1,b+1 FROM t1; + DROP VIEW v1 + } + } {1 {not authorized}} + do_test auth-1.113 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1 v1} + do_test auth-1.114 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP VIEW v1} + } {1 {not authorized}} + do_test auth-1.115 { + set ::authargs + } {v1 {} temp {}} + do_test auth-1.116 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1 v1} + do_test auth-1.117 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP VIEW v1} + } {0 {}} + do_test auth-1.118 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1 v1} + do_test auth-1.119 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP VIEW v1} + } {0 {}} + do_test auth-1.120 { + set ::authargs + } {v1 {} temp {}} + do_test auth-1.121 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1 v1} + do_test auth-1.122 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_VIEW"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {DROP VIEW v1} + } {0 {}} + do_test auth-1.123 { + set ::authargs + } {v1 {} temp {}} + do_test auth-1.124 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} +} +} ;# ifcapable view + +# Test cases auth-1.125 to auth-1.176 test creating and dropping triggers. +# Omit these if the library was compiled with triggers omitted. +# +ifcapable trigger&&tempdb { +do_test auth-1.125 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r2 DELETE on t2 BEGIN + SELECT NULL; + END; + } +} {1 {not authorized}} +do_test auth-1.126 { + set ::authargs +} {r2 t2 main {}} +do_test auth-1.127 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.128 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r2 DELETE on t2 BEGIN + SELECT NULL; + END; + } +} {1 {not authorized}} +do_test auth-1.129 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.130 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r2 DELETE on t2 BEGIN + SELECT NULL; + END; + } +} {0 {}} +do_test auth-1.131 { + set ::authargs +} {r2 t2 main {}} +do_test auth-1.132 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.133 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r2 DELETE on t2 BEGIN + SELECT NULL; + END; + } +} {0 {}} +do_test auth-1.134 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.135 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql { + CREATE TABLE tx(id); + CREATE TRIGGER r2 AFTER INSERT ON t2 BEGIN + INSERT INTO tx VALUES(NEW.rowid); + END; + } +} {0 {}} +do_test auth-1.136.1 { + set ::authargs +} {r2 t2 main {}} +do_test auth-1.136.2 { + execsql { + SELECT name FROM sqlite_master WHERE type='trigger' + } +} {r2} +do_test auth-1.136.3 { + proc auth {code arg1 arg2 arg3 arg4 args} { + lappend ::authargs $code $arg1 $arg2 $arg3 $arg4 + return SQLITE_OK + } + set ::authargs {} + execsql { + INSERT INTO t2 VALUES(1,2,3); + } + set ::authargs +} {SQLITE_INSERT t2 {} main {} SQLITE_INSERT tx {} main r2 SQLITE_READ t2 ROWID main r2} +do_test auth-1.136.4 { + execsql { + SELECT * FROM tx; + } +} {3} +do_test auth-1.137 { + execsql {SELECT name FROM sqlite_master} +} {t2 tx r2} +do_test auth-1.138 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r1 DELETE on t1 BEGIN + SELECT NULL; + END; + } +} {1 {not authorized}} +do_test auth-1.139 { + set ::authargs +} {r1 t1 temp {}} +do_test auth-1.140 { + execsql {SELECT name FROM temp.sqlite_master} +} {t1} +do_test auth-1.141 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r1 DELETE on t1 BEGIN + SELECT NULL; + END; + } +} {1 {not authorized}} +do_test auth-1.142 { + execsql {SELECT name FROM sqlite_temp_master} +} {t1} +do_test auth-1.143 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r1 DELETE on t1 BEGIN + SELECT NULL; + END; + } +} {0 {}} +do_test auth-1.144 { + set ::authargs +} {r1 t1 temp {}} +do_test auth-1.145 { + execsql {SELECT name FROM temp.sqlite_master} +} {t1} +do_test auth-1.146 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r1 DELETE on t1 BEGIN + SELECT NULL; + END; + } +} {0 {}} +do_test auth-1.147 { + execsql {SELECT name FROM sqlite_temp_master} +} {t1} +do_test auth-1.148 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql { + CREATE TRIGGER r1 DELETE on t1 BEGIN + SELECT NULL; + END; + } +} {0 {}} +do_test auth-1.149 { + set ::authargs +} {r1 t1 temp {}} +do_test auth-1.150 { + execsql {SELECT name FROM temp.sqlite_master} +} {t1 r1} + +do_test auth-1.151 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r2} +} {1 {not authorized}} +do_test auth-1.152 { + execsql {SELECT name FROM sqlite_master} +} {t2 tx r2} +do_test auth-1.153 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r2} +} {1 {not authorized}} +do_test auth-1.154 { + set ::authargs +} {r2 t2 main {}} +do_test auth-1.155 { + execsql {SELECT name FROM sqlite_master} +} {t2 tx r2} +do_test auth-1.156 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r2} +} {0 {}} +do_test auth-1.157 { + execsql {SELECT name FROM sqlite_master} +} {t2 tx r2} +do_test auth-1.158 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r2} +} {0 {}} +do_test auth-1.159 { + set ::authargs +} {r2 t2 main {}} +do_test auth-1.160 { + execsql {SELECT name FROM sqlite_master} +} {t2 tx r2} +do_test auth-1.161 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r2} +} {0 {}} +do_test auth-1.162 { + set ::authargs +} {r2 t2 main {}} +do_test auth-1.163 { + execsql { + DROP TABLE tx; + DELETE FROM t2 WHERE a=1 AND b=2 AND c=3; + SELECT name FROM sqlite_master; + } +} {t2} + +do_test auth-1.164 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r1} +} {1 {not authorized}} +do_test auth-1.165 { + execsql {SELECT name FROM temp.sqlite_master} +} {t1 r1} +do_test auth-1.166 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r1} +} {1 {not authorized}} +do_test auth-1.167 { + set ::authargs +} {r1 t1 temp {}} +do_test auth-1.168 { + execsql {SELECT name FROM sqlite_temp_master} +} {t1 r1} +do_test auth-1.169 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r1} +} {0 {}} +do_test auth-1.170 { + execsql {SELECT name FROM temp.sqlite_master} +} {t1 r1} +do_test auth-1.171 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r1} +} {0 {}} +do_test auth-1.172 { + set ::authargs +} {r1 t1 temp {}} +do_test auth-1.173 { + execsql {SELECT name FROM sqlite_temp_master} +} {t1 r1} +do_test auth-1.174 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_TRIGGER"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {DROP TRIGGER r1} +} {0 {}} +do_test auth-1.175 { + set ::authargs +} {r1 t1 temp {}} +do_test auth-1.176 { + execsql {SELECT name FROM temp.sqlite_master} +} {t1} +} ;# ifcapable trigger + +do_test auth-1.177 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE INDEX i2 ON t2(a)} +} {1 {not authorized}} +do_test auth-1.178 { + set ::authargs +} {i2 t2 main {}} +do_test auth-1.179 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.180 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE INDEX i2 ON t2(a)} +} {1 {not authorized}} +do_test auth-1.181 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.182 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE INDEX i2 ON t2(b)} +} {0 {}} +do_test auth-1.183 { + set ::authargs +} {i2 t2 main {}} +do_test auth-1.184 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.185 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE INDEX i2 ON t2(b)} +} {0 {}} +do_test auth-1.186 { + execsql {SELECT name FROM sqlite_master} +} {t2} +do_test auth-1.187 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {CREATE INDEX i2 ON t2(a)} +} {0 {}} +do_test auth-1.188 { + set ::authargs +} {i2 t2 main {}} +do_test auth-1.189 { + execsql {SELECT name FROM sqlite_master} +} {t2 i2} + +ifcapable tempdb { + do_test auth-1.190 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE INDEX i1 ON t1(a)} + } {1 {not authorized}} + do_test auth-1.191 { + set ::authargs + } {i1 t1 temp {}} + do_test auth-1.192 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.193 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {CREATE INDEX i1 ON t1(b)} + } {1 {not authorized}} + do_test auth-1.194 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1} + do_test auth-1.195 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE INDEX i1 ON t1(b)} + } {0 {}} + do_test auth-1.196 { + set ::authargs + } {i1 t1 temp {}} + do_test auth-1.197 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.198 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_INSERT" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {CREATE INDEX i1 ON t1(c)} + } {0 {}} + do_test auth-1.199 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1} + do_test auth-1.200 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_CREATE_TEMP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {CREATE INDEX i1 ON t1(a)} + } {0 {}} + do_test auth-1.201 { + set ::authargs + } {i1 t1 temp {}} + do_test auth-1.202 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1 i1} +} + +do_test auth-1.203 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP INDEX i2} +} {1 {not authorized}} +do_test auth-1.204 { + execsql {SELECT name FROM sqlite_master} +} {t2 i2} +do_test auth-1.205 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP INDEX i2} +} {1 {not authorized}} +do_test auth-1.205a { + set ::authargs +} {i2 t2 main {}} +db eval { + ATTACH ':memory:' as di205; + CREATE TABLE di205.t1(x); + CREATE INDEX di205.t1x ON t1(x); +} +do_catchsql_test auth-1.205b { + DROP INDEX di205.t1x; +} {1 {not authorized}} +db eval { + DETACH di205; +} +do_test auth-1.206 { + set ::authargs +} {t1x t1 di205 {}} +do_test auth-1.207 { + execsql {SELECT name FROM sqlite_master} +} {t2 i2} +do_test auth-1.208 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP INDEX i2} +} {0 {}} +do_test auth-1.209 { + execsql {SELECT name FROM sqlite_master} +} {t2 i2} +do_test auth-1.210 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP INDEX i2} +} {0 {}} +do_test auth-1.211 { + set ::authargs +} {i2 t2 main {}} +do_test auth-1.212 { + execsql {SELECT name FROM sqlite_master} +} {t2 i2} +do_test auth-1.213 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {DROP INDEX i2} +} {0 {}} +do_test auth-1.214 { + set ::authargs +} {i2 t2 main {}} +do_test auth-1.215 { + execsql {SELECT name FROM sqlite_master} +} {t2} + +ifcapable tempdb { + do_test auth-1.216 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP INDEX i1} + } {1 {not authorized}} + do_test auth-1.217 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1 i1} + do_test auth-1.218 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {DROP INDEX i1} + } {1 {not authorized}} + do_test auth-1.219 { + set ::authargs + } {i1 t1 temp {}} + do_test auth-1.220 { + execsql {SELECT name FROM sqlite_temp_master} + } {t1 i1} + do_test auth-1.221 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DELETE" && $arg1=="sqlite_temp_master"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP INDEX i1} + } {0 {}} + do_test auth-1.222 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1 i1} + do_test auth-1.223 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {DROP INDEX i1} + } {0 {}} + do_test auth-1.224 { + set ::authargs + } {i1 t1 temp {}} + do_test auth-1.225 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1 i1} + do_test auth-1.226 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DROP_TEMP_INDEX"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {DROP INDEX i1} + } {0 {}} + do_test auth-1.227 { + set ::authargs + } {i1 t1 temp {}} + do_test auth-1.228 { + execsql {SELECT name FROM temp.sqlite_master} + } {t1} +} + +do_test auth-1.229 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_PRAGMA"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {PRAGMA full_column_names=on} +} {1 {not authorized}} +do_test auth-1.230 { + set ::authargs +} {full_column_names on {} {}} +do_test auth-1.231 { + execsql2 {SELECT a FROM t2} +} {a 11 a 7} +do_test auth-1.232 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_PRAGMA"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {PRAGMA full_column_names=on} +} {0 {}} +do_test auth-1.233 { + set ::authargs +} {full_column_names on {} {}} +do_test auth-1.234 { + execsql2 {SELECT a FROM t2} +} {a 11 a 7} +do_test auth-1.235 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_PRAGMA"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {PRAGMA full_column_names=on} +} {0 {}} +do_test auth-1.236 { + execsql2 {SELECT a FROM t2} +} {t2.a 11 t2.a 7} +do_test auth-1.237 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_PRAGMA"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql {PRAGMA full_column_names=OFF} +} {0 {}} +do_test auth-1.238 { + set ::authargs +} {full_column_names OFF {} {}} +do_test auth-1.239 { + execsql2 {SELECT a FROM t2} +} {a 11 a 7} + +do_test auth-1.240 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_TRANSACTION"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {BEGIN} +} {1 {not authorized}} +do_test auth-1.241 { + set ::authargs +} {BEGIN {} {} {}} +do_test auth-1.242 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_TRANSACTION" && $arg1!="BEGIN"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {BEGIN; INSERT INTO t2 VALUES(44,55,66); COMMIT} +} {1 {not authorized}} +do_test auth-1.243 { + set ::authargs +} {COMMIT {} {} {}} +do_test auth-1.244 { + execsql {SELECT * FROM t2} +} {11 2 33 7 8 9 44 55 66} +do_test auth-1.245 { + catchsql {ROLLBACK} +} {1 {not authorized}} +do_test auth-1.246 { + set ::authargs +} {ROLLBACK {} {} {}} +do_test auth-1.247 { + catchsql {END TRANSACTION} +} {1 {not authorized}} +do_test auth-1.248 { + set ::authargs +} {COMMIT {} {} {}} +do_test auth-1.249 { + # EVIDENCE-OF: R-52112-44167 Disable the authorizer by installing a NULL + # callback. + db authorizer {} + catchsql {ROLLBACK} +} {0 {}} +do_test auth-1.250 { + execsql {SELECT * FROM t2} +} {11 2 33 7 8 9} + +# ticket #340 - authorization for ATTACH and DETACH. +# +ifcapable attach { + do_test auth-1.251 { + db authorizer ::auth + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ATTACH"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + } + return SQLITE_OK + } + catchsql { + ATTACH DATABASE ':memory:' AS test1 + } + } {0 {}} + do_test auth-1.252a { + set ::authargs + } {:memory: {} {} {}} + do_test auth-1.252b { + db eval {DETACH test1} + set ::attachfilename :memory: + db eval {ATTACH $::attachfilename AS test1} + set ::authargs + } {{} {} {} {}} + do_test auth-1.252c { + db eval {DETACH test1} + db eval {ATTACH ':mem' || 'ory:' AS test1} + set ::authargs + } {{} {} {} {}} + do_test auth-1.253 { + catchsql {DETACH DATABASE test1} + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ATTACH"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + ATTACH DATABASE ':memory:' AS test1; + } + } {1 {not authorized}} + do_test auth-1.254 { + lindex [execsql {PRAGMA database_list}] 7 + } {} + do_test auth-1.255 { + catchsql {DETACH DATABASE test1} + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ATTACH"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + ATTACH DATABASE ':memory:' AS test1; + } + } {0 {}} + do_test auth-1.256 { + lindex [execsql {PRAGMA database_list}] 7 + } {} + do_test auth-1.257 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DETACH"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + execsql {ATTACH DATABASE ':memory:' AS test1} + catchsql { + DETACH DATABASE test1; + } + } {0 {}} + do_test auth-1.258 { + lindex [execsql {PRAGMA database_list}] 7 + } {} + do_test auth-1.259 { + execsql {ATTACH DATABASE ':memory:' AS test1} + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DETACH"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + DETACH DATABASE test1; + } + } {0 {}} + ifcapable tempdb { + ifcapable schema_pragmas { + do_test auth-1.260 { + lindex [execsql {PRAGMA database_list}] 7 + } {test1} + } ;# ifcapable schema_pragmas + do_test auth-1.261 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_DETACH"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + DETACH DATABASE test1; + } + } {1 {not authorized}} + ifcapable schema_pragmas { + do_test auth-1.262 { + lindex [execsql {PRAGMA database_list}] 7 + } {test1} + } ;# ifcapable schema_pragmas + db authorizer {} + execsql {DETACH DATABASE test1} + db authorizer ::auth + + # Authorization for ALTER TABLE. These tests are omitted if the library + # was built without ALTER TABLE support. + ifcapable altertable { + + do_test auth-1.263 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t1 RENAME TO t1x + } + } {0 {}} + do_test auth-1.264 { + execsql {SELECT name FROM sqlite_temp_master WHERE type='table'} + } {t1x} + do_test auth-1.265 { + set authargs + } {temp t1 {} {}} + do_test auth-1.266 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t1x RENAME TO t1 + } + } {0 {}} + do_test auth-1.267 { + execsql {SELECT name FROM temp.sqlite_master WHERE type='table'} + } {t1x} + do_test auth-1.268 { + set authargs + } {temp t1x {} {}} + do_test auth-1.269 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t1x RENAME TO t1 + } + } {1 {not authorized}} + do_test auth-1.270 { + execsql {SELECT name FROM sqlite_temp_master WHERE type='table'} + } {t1x} + + do_test auth-1.271 { + set authargs + } {temp t1x {} {}} + } ;# ifcapable altertable + + } else { + db authorizer {} + db eval { + DETACH DATABASE test1; + } + } +} + +ifcapable altertable { +db authorizer {} +catchsql {ALTER TABLE t1x RENAME TO t1} +db authorizer ::auth +do_test auth-1.272 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t2 RENAME TO t2x + } +} {0 {}} +do_test auth-1.273 { + execsql {SELECT name FROM sqlite_master WHERE type='table'} +} {t2x} +do_test auth-1.274 { + set authargs +} {main t2 {} {}} +do_test auth-1.275 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t2x RENAME TO t2 + } +} {0 {}} +do_test auth-1.276 { + execsql {SELECT name FROM sqlite_master WHERE type='table'} +} {t2x} +do_test auth-1.277 { + set authargs +} {main t2x {} {}} +do_test auth-1.278 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t2x RENAME TO t2 + } +} {1 {not authorized}} +do_test auth-1.279 { + execsql {SELECT name FROM sqlite_master WHERE type='table'} +} {t2x} +do_test auth-1.280 { + set authargs +} {main t2x {} {}} +db authorizer {} +catchsql {ALTER TABLE t2x RENAME TO t2} + +} ;# ifcapable altertable + +# Test the authorization callbacks for the REINDEX command. +ifcapable reindex { + +proc auth {code args} { + if {$code=="SQLITE_REINDEX"} { + set ::authargs [concat $::authargs [lrange $args 0 3]] + } + return SQLITE_OK +} +db authorizer auth +do_test auth-1.281 { + execsql { + CREATE TABLE t3(a PRIMARY KEY, b, c); + CREATE INDEX t3_idx1 ON t3(c COLLATE BINARY); + CREATE INDEX t3_idx2 ON t3(b COLLATE NOCASE); + } +} {} +do_test auth-1.282 { + set ::authargs {} + execsql { + REINDEX t3_idx1; + } + set ::authargs +} {t3_idx1 {} main {}} +do_test auth-1.283 { + set ::authargs {} + execsql { + REINDEX BINARY; + } + set ::authargs +} {t3_idx1 {} main {} sqlite_autoindex_t3_1 {} main {}} +do_test auth-1.284 { + set ::authargs {} + execsql { + REINDEX NOCASE; + } + set ::authargs +} {t3_idx2 {} main {}} +do_test auth-1.285 { + set ::authargs {} + execsql { + REINDEX t3; + } + set ::authargs +} {t3_idx2 {} main {} t3_idx1 {} main {} sqlite_autoindex_t3_1 {} main {}} +do_test auth-1.286 { + execsql { + DROP TABLE t3; + } +} {} +ifcapable tempdb { + do_test auth-1.287 { + execsql { + CREATE TEMP TABLE t3(a PRIMARY KEY, b, c); + CREATE INDEX t3_idx1 ON t3(c COLLATE BINARY); + CREATE INDEX t3_idx2 ON t3(b COLLATE NOCASE); + } + } {} + do_test auth-1.288 { + set ::authargs {} + execsql { + REINDEX temp.t3_idx1; + } + set ::authargs + } {t3_idx1 {} temp {}} + do_test auth-1.289 { + set ::authargs {} + execsql { + REINDEX BINARY; + } + set ::authargs + } {t3_idx1 {} temp {} sqlite_autoindex_t3_1 {} temp {}} + do_test auth-1.290 { + set ::authargs {} + execsql { + REINDEX NOCASE; + } + set ::authargs + } {t3_idx2 {} temp {}} + do_test auth-1.291 { + set ::authargs {} + execsql { + REINDEX temp.t3; + } + set ::authargs + } {t3_idx2 {} temp {} t3_idx1 {} temp {} sqlite_autoindex_t3_1 {} temp {}} + proc auth {code args} { + if {$code=="SQLITE_REINDEX"} { + set ::authargs [concat $::authargs [lrange $args 0 3]] + return SQLITE_DENY + } + return SQLITE_OK + } + do_test auth-1.292 { + set ::authargs {} + catchsql { + REINDEX temp.t3; + } + } {1 {not authorized}} + do_test auth-1.293 { + execsql { + DROP TABLE t3; + } + } {} +} + +} ;# ifcapable reindex + +ifcapable analyze { + proc auth {code args} { + if {$code=="SQLITE_ANALYZE"} { + set ::authargs [concat $::authargs [lrange $args 0 3]] + } + return SQLITE_OK + } + do_test auth-1.294 { + set ::authargs {} + execsql { + CREATE TABLE t4(a,b,c); + CREATE INDEX t4i1 ON t4(a); + CREATE INDEX t4i2 ON t4(b,a,c); + INSERT INTO t4 VALUES(1,2,3); + ANALYZE; + } + set ::authargs + } {t4 {} main {} t2 {} main {}} + do_test auth-1.295 { + execsql { + SELECT count(*) FROM sqlite_stat1; + } + } 3 + proc auth {code args} { + if {$code=="SQLITE_ANALYZE"} { + set ::authargs [concat $::authargs $args] + return SQLITE_DENY + } + return SQLITE_OK + } + do_test auth-1.296 { + set ::authargs {} + catchsql { + ANALYZE; + } + } {1 {not authorized}} + do_test auth-1.297 { + execsql { + SELECT count(*) FROM sqlite_stat1; + } + } 3 +} ;# ifcapable analyze + + +# Authorization for ALTER TABLE ADD COLUMN. +# These tests are omitted if the library +# was built without ALTER TABLE support. +ifcapable {altertable} { + do_test auth-1.300 { + execsql {CREATE TABLE t5(x)} + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t5 ADD COLUMN new_col_1; + } + } {0 {}} + do_test auth-1.301 { + set x [execsql {SELECT sql FROM sqlite_master WHERE name='t5'}] + regexp new_col_1 $x + } {1} + do_test auth-1.302 { + set authargs + } {main t5 {} {}} + db eval BEGIN + set authargs {} + do_execsql_test auth-1.302-drop-1 { + ALTER TABLE t5 DROP COLUMN new_col_1; + } {} + db eval ROLLBACK + do_test auth-1.302-drop-2 { + set authargs + } {main t5 new_col_1 {}} + do_test auth-1.303 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t5 ADD COLUMN new_col_2; + } + } {0 {}} + do_test auth-1.304 { + set x [execsql {SELECT sql FROM sqlite_master WHERE name='t5'}] + regexp new_col_2 $x + } {0} + do_test auth-1.305 { + set authargs + } {main t5 {} {}} + db eval BEGIN + set authargs {} + do_execsql_test auth-1.305-drop-1 { + ALTER TABLE t5 DROP COLUMN new_col_1; + SELECT 1 FROM sqlite_schema WHERE name='t5' AND sql LIKE '%new_col_1%'; + } {1} + db eval ROLLBACK + do_test auth-1.305-drop-2 { + set authargs + } {main t5 new_col_1 {}} + do_test auth-1.306 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t5 ADD COLUMN new_col_3 + } + } {1 {not authorized}} + do_test auth-1.307 { + set x [execsql {SELECT sql FROM temp.sqlite_master WHERE type='t5'}] + regexp new_col_3 $x + } {0} + do_test auth-1.308 { + set authargs + } {main t5 {} {}} + db eval BEGIN + set authargs {} + do_catchsql_test auth-1.308-drop-1 { + ALTER TABLE t5 DROP COLUMN new_col_1; + } {1 {not authorized}} + do_execsql_test auth-1.308-drop-2 { + SELECT 1 FROM sqlite_schema WHERE name='t5' AND sql LIKE '%new_col_1%'; + } {1} + do_test auth-1.308-drop-3 { + set authargs + } {main t5 new_col_1 {}} + db eval ROLLBACK + + execsql {DROP TABLE t5} +} ;# ifcapable altertable + +ifcapable {cte} { + do_test auth-1.310 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_RECURSIVE"} { + return SQLITE_DENY + } + return SQLITE_OK + } + db eval { + DROP TABLE IF EXISTS t1; + CREATE TABLE t1(a,b); + INSERT INTO t1 VALUES(1,2),(3,4),(5,6); + } + } {} + do_catchsql_test auth-1.311 { + WITH + auth1311(x,y) AS (SELECT a+b, b-a FROM t1) + SELECT * FROM auth1311 ORDER BY x; + } {0 {3 1 7 1 11 1}} + do_catchsql_test auth-1.312 { + WITH RECURSIVE + auth1312(x,y) AS (SELECT a+b, b-a FROM t1) + SELECT x, y FROM auth1312 ORDER BY x; + } {0 {3 1 7 1 11 1}} + do_catchsql_test auth-1.313 { + WITH RECURSIVE + auth1313(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM auth1313 WHERE x<5) + SELECT * FROM t1; + } {0 {1 2 3 4 5 6}} + do_catchsql_test auth-1.314 { + WITH RECURSIVE + auth1314(x) AS (VALUES(1) UNION ALL SELECT x+1 FROM auth1314 WHERE x<5) + SELECT * FROM t1 LEFT JOIN auth1314; + } {1 {not authorized}} +} ;# ifcapable cte + +# +# db eval {SELECT sql FROM temp.sqlite_master} {puts "TEMP: $sql;"} +# db eval {SELECT sql FROM main.sqlite_master} {puts "MAIN: $sql;"} +# +# MAIN: CREATE TABLE "t2"(a,b,c); +# MAIN: CREATE TABLE t4(a,b,c); +# MAIN: CREATE INDEX t4i1 ON t4(a); +# MAIN: CREATE INDEX t4i2 ON t4(b,a,c); +# MAIN: CREATE TABLE sqlite_stat1(tbl,idx,stat); +# MAIN: CREATE TABLE t1(a,b); +# +ifcapable altertable&&vtab { + do_test auth-1.350 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_OK + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t1 RENAME COLUMN b TO bcdefg; + } + } {0 {}} + do_execsql_test auth-1.351 { + SELECT name FROM pragma_table_info('t1') ORDER BY cid; + } {a bcdefg} + do_test auth-1.352 { + set authargs + } {main t1 {} {}} + do_test auth-1.353 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t1 RENAME COLUMN bcdefg TO b; + } + } {0 {}} + do_execsql_test auth-1.354 { + SELECT name FROM pragma_table_info('t1') ORDER BY cid; + } {a bcdefg} + do_test auth-1.355 { + set authargs + } {main t1 {} {}} + do_test auth-1.356 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_ALTER_TABLE"} { + set ::authargs [list $arg1 $arg2 $arg3 $arg4] + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql { + ALTER TABLE t1 RENAME COLUMN bcdefg TO b; + } + } {1 {not authorized}} + do_execsql_test auth-1.357 { + SELECT name FROM pragma_table_info('t1') ORDER BY cid; + } {a bcdefg} + do_test auth-1.358 { + set authargs + } {main t1 {} {}} +} + +# 2022-12-28 +# The sqlite3_declare_vtab() call that occurs during pragma_table_list +# should not cause an authentication failure. +# +ifcapable vtab { + do_test auth-1.359 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_UPDATE"} { + return SQLITE_DENY + } + return SQLITE_OK + } + catchsql {SELECT * FROM pragma_table_list WHERE name='xyzzy';} + } {0 {}} +} + +do_test auth-2.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t3" && $arg2=="x"} { + return SQLITE_DENY + } + return SQLITE_OK + } + db authorizer ::auth + execsql {CREATE TABLE t3(x INTEGER PRIMARY KEY, y, z)} + catchsql {SELECT * FROM t3} +} {1 {access to t3.x is prohibited}} +do_test auth-2.1 { + catchsql {SELECT y,z FROM t3} +} {0 {}} +do_test auth-2.2 { + catchsql {SELECT ROWID,y,z FROM t3} +} {1 {access to t3.x is prohibited}} +do_test auth-2.3 { + catchsql {SELECT OID,y,z FROM t3} +} {1 {access to t3.x is prohibited}} +do_test auth-2.4 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t3" && $arg2=="x"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + execsql {INSERT INTO t3 VALUES(44,55,66)} + catchsql {SELECT * FROM t3} +} {0 {{} 55 66}} +do_test auth-2.5 { + catchsql {SELECT rowid,y,z FROM t3} +} {0 {{} 55 66}} +do_test auth-2.6 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t3" && $arg2=="ROWID"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t3} +} {0 {44 55 66}} +do_test auth-2.7 { + catchsql {SELECT ROWID,y,z FROM t3} +} {0 {44 55 66}} +do_test auth-2.8 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="ROWID"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT ROWID,b,c FROM t2} +} {0 {{} 2 33 {} 8 9}} +do_test auth-2.9.1 { + # We have to flush the cache here in case the Tcl interface tries to + # reuse a statement compiled with sqlite3_prepare_v2(). In this case, + # the first error encountered is an SQLITE_SCHEMA error. Then, when + # trying to recompile the statement, the authorization error is encountered. + # If we do not flush the cache, the correct error message is returned, but + # the error code is SQLITE_SCHEMA, not SQLITE_ERROR as required by the test + # case after this one. + # + db cache flush + + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="ROWID"} { + return bogus + } + return SQLITE_OK + } + catchsql {SELECT ROWID,b,c FROM t2} +} {1 {authorizer malfunction}} +do_test auth-2.9.2 { + db errorcode +} {1} +do_test auth-2.10 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_SELECT"} { + return bogus + } + return SQLITE_OK + } + catchsql {SELECT ROWID,b,c FROM t2} +} {1 {authorizer malfunction}} +do_test auth-2.11.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg2=="a"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2, t3} +} {0 {{} 2 33 44 55 66 {} 8 9 44 55 66}} +do_test auth-2.11.2 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg2=="x"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + catchsql {SELECT * FROM t2, t3} +} {0 {11 2 33 {} 55 66 7 8 9 {} 55 66}} + +# Make sure the OLD and NEW pseudo-tables of a trigger get authorized. +# +ifcapable trigger { + do_test auth-3.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + return SQLITE_OK + } + execsql { + CREATE TABLE tx(a1,a2,b1,b2,c1,c2); + CREATE TRIGGER r1 AFTER UPDATE ON t2 FOR EACH ROW BEGIN + INSERT INTO tx VALUES(OLD.a,NEW.a,OLD.b,NEW.b,OLD.c,NEW.c); + END; + UPDATE t2 SET a=a+1; + SELECT * FROM tx; + } + } {11 12 2 2 33 33 7 8 8 8 9 9} + do_test auth-3.2 { + proc auth {code arg1 arg2 arg3 arg4 args} { + if {$code=="SQLITE_READ" && $arg1=="t2" && $arg2=="c"} { + return SQLITE_IGNORE + } + return SQLITE_OK + } + execsql { + DELETE FROM tx; + UPDATE t2 SET a=a+100; + SELECT * FROM tx; + } + } {12 112 2 2 {} {} 8 108 8 8 {} {}} +} ;# ifcapable trigger + +# Make sure the names of views and triggers are passed on on arg4. +# +ifcapable trigger { +do_test auth-4.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + lappend ::authargs $code $arg1 $arg2 $arg3 $arg4 + return SQLITE_OK + } + set authargs {} + execsql { + UPDATE t2 SET a=a+1; + } + set authargs +} [list \ + SQLITE_READ t2 a main {} \ + SQLITE_UPDATE t2 a main {} \ + SQLITE_INSERT tx {} main r1 \ + SQLITE_READ t2 a main r1 \ + SQLITE_READ t2 a main r1 \ + SQLITE_READ t2 b main r1 \ + SQLITE_READ t2 b main r1 \ + SQLITE_READ t2 c main r1 \ + SQLITE_READ t2 c main r1] +} + +ifcapable {view && trigger} { +do_test auth-4.2 { + execsql { + CREATE VIEW v1 AS SELECT a+b AS x FROM t2; + CREATE TABLE v1chng(x1,x2); + CREATE TRIGGER r2 INSTEAD OF UPDATE ON v1 BEGIN + INSERT INTO v1chng VALUES(OLD.x,NEW.x); + END; + SELECT * FROM v1; + } +} {115 117} +do_test auth-4.3 { + set authargs {} + execsql { + UPDATE v1 SET x=1 WHERE x=117 + } + set authargs +} [list \ + SQLITE_UPDATE v1 x main {} \ + SQLITE_SELECT {} {} {} v1 \ + SQLITE_READ t2 a main v1 \ + SQLITE_READ t2 b main v1 \ + SQLITE_READ v1 x main v1 \ + SQLITE_READ v1 x main v1 \ + SQLITE_SELECT {} {} {} v1 \ + SQLITE_READ v1 x main v1 \ + SQLITE_INSERT v1chng {} main r2 \ + SQLITE_READ v1 x main r2 \ + SQLITE_READ v1 x main r2 \ +] + +do_test auth-4.4 { + execsql { + CREATE TRIGGER r3 INSTEAD OF DELETE ON v1 BEGIN + INSERT INTO v1chng VALUES(OLD.x,NULL); + END; + SELECT * FROM v1; + } +} {115 117} +do_test auth-4.5 { + set authargs {} + execsql { + DELETE FROM v1 WHERE x=117 + } + set authargs +} [list \ + SQLITE_DELETE v1 {} main {} \ + SQLITE_SELECT {} {} {} v1 \ + SQLITE_READ t2 a main v1 \ + SQLITE_READ t2 b main v1 \ + SQLITE_READ v1 x main v1 \ + SQLITE_READ v1 x main v1 \ + SQLITE_SELECT {} {} {} v1 \ + SQLITE_READ v1 x main v1 \ + SQLITE_INSERT v1chng {} main r3 \ + SQLITE_READ v1 x main r3 \ +] + +} ;# ifcapable view && trigger + +# Ticket #1338: Make sure authentication works in the presence of an AS +# clause. +# +do_test auth-5.1 { + proc auth {code arg1 arg2 arg3 arg4 args} { + return SQLITE_OK + } + execsql { + SELECT count(a) AS cnt FROM t4 ORDER BY cnt + } +} {1} + +# Ticket #1607 +# +ifcapable compound&&subquery { + ifcapable trigger { + execsql { + DROP TABLE tx; + } + ifcapable view { + execsql { + DROP TABLE v1chng; + } + } + } + ifcapable stat4 { + set stat4 "sqlite_stat4 " + } else { + set stat4 "" + } + do_test auth-5.2 { + execsql { + SELECT name FROM ( + SELECT * FROM sqlite_master UNION ALL SELECT * FROM temp.sqlite_master) + WHERE type='table' + ORDER BY name + } + } "sqlite_stat1 ${stat4}t1 t2 t3 t4" +} + +# Ticket #3944 +# +ifcapable trigger { + do_test auth-5.3.1 { + execsql { + CREATE TABLE t5 ( x ); + CREATE TRIGGER t5_tr1 AFTER INSERT ON t5 BEGIN + UPDATE t5 SET x = 1 WHERE NEW.x = 0; + END; + } + } {} + set ::authargs [list] + proc auth {args} { + eval lappend ::authargs [lrange $args 0 4] + return SQLITE_OK + } + do_test auth-5.3.2 { + execsql { INSERT INTO t5 (x) values(0) } + set ::authargs + } [list SQLITE_INSERT t5 {} main {} \ + SQLITE_UPDATE t5 x main t5_tr1 \ + SQLITE_READ t5 x main t5_tr1 \ + ] + do_test auth-5.3.2 { + execsql { SELECT * FROM t5 } + } {1} +} + +# Ticket [0eb70d77cb05bb22720]: Invalid pointer passsed to the authorizer +# callback when updating a ROWID. +# +do_test auth-6.1 { + execsql { + CREATE TABLE t6(a,b,c,d,e,f,g,h); + INSERT INTO t6 VALUES(1,2,3,4,5,6,7,8); + } +} {} +set ::authargs [list] +proc auth {args} { + eval lappend ::authargs [lrange $args 0 4] + return SQLITE_OK +} +do_test auth-6.2 { + execsql {UPDATE t6 SET rowID=rowID+100} + set ::authargs +} [list SQLITE_READ t6 ROWID main {} \ + SQLITE_UPDATE t6 ROWID main {} \ +] +do_test auth-6.3 { + execsql {SELECT rowid, * FROM t6} +} {101 1 2 3 4 5 6 7 8} + +#------------------------------------------------------------------------- +# Test that view names are included as zArg4. +# +do_execsql_test auth-7.1 { + CREATE TABLE t7(a, b, c); + CREATE VIEW v7 AS SELECT * FROM t7; +} {} +set ::authargs [list] +proc auth {args} { + eval lappend ::authargs [lrange $args 0 4] + return SQLITE_OK +} + +do_test auth-7.2 { + execsql {SELECT a, c FROM v7} + set ::authargs +} [list \ + SQLITE_SELECT {} {} {} {} \ + SQLITE_READ t7 a main v7 \ + SQLITE_READ t7 b main v7 \ + SQLITE_READ t7 c main v7 \ + SQLITE_READ v7 a main {} \ + SQLITE_READ v7 c main {} \ + SQLITE_SELECT {} {} {} v7 \ +] + +set ::authargs [list] +do_test auth-7.3 { + execsql {SELECT a, c FROM t7} + set ::authargs +} [list \ + SQLITE_SELECT {} {} {} {} \ + SQLITE_READ t7 a main {} \ + SQLITE_READ t7 c main {} \ +] + +set ::authargs [list] +do_test auth-7.4 { + execsql {SELECT a, c FROM t7 AS v7} + set ::authargs +} [list \ + SQLITE_SELECT {} {} {} {} \ + SQLITE_READ t7 a main {} \ + SQLITE_READ t7 c main {} \ +] + +# If a table is referenced but no columns are read from the table, +# that causes a single SQLITE_READ authorization with a NULL column +# name. +# +# EVIDENCE-OF: R-31520-16302 When a table is referenced by a SELECT but +# no column values are extracted from that table (for example in a query +# like "SELECT count(*) FROM tab") then the SQLITE_READ authorizer +# callback is invoked once for that table with a column name that is an +# empty string. +# +set ::authargs [list] +do_test auth-8.1 { + execsql {SELECT count(*) FROM t7} + set ::authargs +} [list \ + SQLITE_SELECT {} {} {} {} \ + SQLITE_FUNCTION {} count {} {} \ + SQLITE_READ t7 {} {} {} \ + ] +set ::authargs [list] + +do_test auth-8.2 { + execsql {SELECT t6.a FROM t6, t7} + set ::authargs +} [list \ + SQLITE_SELECT {} {} {} {} \ + SQLITE_READ t6 a main {} \ + SQLITE_READ t7 {} {} {} \ + ] + +# Test also that if SQLITE_DENY is returned from an SQLITE_READ authorizer +# invocation with no column name specified, compilation fails. +# +set ::authargs [list] +proc auth {op args} { + foreach {a b c d} $args break + lappend ::authargs $op $a $b $c $d + if {$op == "SQLITE_READ"} { return "SQLITE_DENY" } + return "SQLITE_OK" +} +set ::authargs [list] +do_catchsql_test auth-8.3 { + SELECT count(*) FROM t7 +} {1 {not authorized}} +do_test auth-8.4 { + set ::authargs +} [list \ + SQLITE_SELECT {} {} {} {} \ + SQLITE_FUNCTION {} count {} {} \ + SQLITE_READ t7 {} {} {} \ +] + + +rename proc {} +rename proc_real proc +finish_test |