ID Number: Q79853
1.11
OS/2
buglist1.11
Summary:
Problem ID: PRSQL9112011
SYMPTOMS
The database owner (DBO) creates a view "V" on a table "T". V is a
subset of the rows of T. The DBO then gives permission to a user
(for example, "Joe") to select from V. Joe also has permission to
create views; however, he does not have ANY permissions on T. Joe
now creates a view W, which is "select * from V". Using W, Joe can
insert, delete, and update table T.
WORKAROUND
To avoid problems such as the one described above, the DBO should
not freely give object-creation permissions to users of a database.
Although this is not a workaround in the normal sense of the term,
it may serve as a useful policy.
STATUS
Microsoft has confirmed this to be a problem in SQL Server version
1.11. This problem does not occur in SQL Server version 4.2.