[Fwd: Re: Oracle plugin]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Fwd: Re: Oracle plugin]

Rob Manning
Alex,

You've done alot of work as I can see in the patch.  And it all looks
great, except
for the isOracleAdmin method which has a small problem as noted earlier
on the developer's list
 - too restrictive to compare session username to SYSTEM.  It seems like
you should rather
attempt to see if the user has access to the necessary privelege to read
the appropriate
table(s) ( that is, V$SESSION, etc..)  Would you care to give it another
try and amend
your patch submission to take this into account?  I would work on it if
I had more time at
this point - but alas I do not.  How about it?

Rob Manning


CollabraSpace - Revolutionary Collaboration
Visit us at http://www.collabraspace.com
This message has been scanned for viruses by
ClamAV v0.83



Maury Hammel wrote:

> Alexander Buloichik wrote:
>
>> Hi, All !
>>
>>   I commited patch for oracle plugin to sourceforge.
>>   It detects how we connected to Oracle(as SYSTEM or ordinarily user)
>> and
>> display INSTANES and SESSIONS nodes only for SYSTEM
>> user, because only SYSTEM user can read this data from
>> server. Also it change display mode for USERS node. It
>> displays only current user for ordinarily user, and all
>> users for SYSTEM user.
>
>
> I don't know about anyone else, but I don't think this is a good
> 'fix'.  SYSTEM is not the only user that can see that information.  On
> the sites where I have worked with Oracle, SYSTEM is not routinely
> used as a login from remote tools -- in fact, it has been discouraged.
>
> I would suggest that this be changed to look to see if the user has
> the DBA role (and/or whatever other privileges are required to see
> that information) before removing it from the view.
Maury,

Thanks for that observation.  I was thinking that there are more cases
where a user other
than SYSTEM has access to v$session (like grant read access to v$session
a user).  I would
want to find a reliable way of determing access to v$session, before
disabling the view.
(Maybe even perform the query and if it's successful, enable the view,
if not disable and
don't display and error message)

my two cents,

Rob Manning


CollabraSpace - Revolutionary Collaboration
Visit us at http://www.collabraspace.com
This message has been scanned for viruses by
ClamAV v0.83




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Squirrel-sql-develop mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/squirrel-sql-develop


CollabraSpace - Revolutionary Collaboration
Visit us at http://www.collabraspace.com
This message has been scanned for viruses by
ClamAV v0.83