diff options
author | Huang Zhw <huang_zhw@126.com> | 2021-03-26 19:10:01 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-26 14:10:01 +0300 |
commit | e138698e54e97bfaababf56507026bf92dd4deb4 (patch) | |
tree | 9546f312fda235d415cbb717f9d5eb660535f261 /src/multi.c | |
parent | db6655deb42d32374c71d00caf48efb63a13c2ec (diff) | |
download | redis-e138698e54e97bfaababf56507026bf92dd4deb4.tar.gz |
make processCommand check publish channel permissions. (#8534)
Add publish channel permissions check in processCommand.
processCommand didn't check publish channel permissions, so we can
queue a publish command in a transaction. But when exec the transaction,
it will fail with -NOPERM.
We also union keys/commands/channels permissions check togegher in
ACLCheckAllPerm. Remove pubsubCheckACLPermissionsOrReply in
publishCommand/subscribeCommand/psubscribeCommand. Always
check permissions in processCommand/execCommand/
luaRedisGenericCommand.
Diffstat (limited to 'src/multi.c')
-rw-r--r-- | src/multi.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/src/multi.c b/src/multi.c index 4abdb7499..902c919c7 100644 --- a/src/multi.c +++ b/src/multi.c @@ -204,9 +204,7 @@ void execCommand(client *c) { /* ACL permissions are also checked at the time of execution in case * they were changed after the commands were queued. */ int acl_errpos; - int acl_retval = ACLCheckCommandPerm(c,&acl_errpos); - if (acl_retval == ACL_OK && c->cmd->proc == publishCommand) - acl_retval = ACLCheckPubsubPerm(c,1,1,0,&acl_errpos); + int acl_retval = ACLCheckAllPerm(c,&acl_errpos); if (acl_retval != ACL_OK) { char *reason; switch (acl_retval) { @@ -217,7 +215,8 @@ void execCommand(client *c) { reason = "no permission to touch the specified keys"; break; case ACL_DENIED_CHANNEL: - reason = "no permission to publish to the specified channel"; + reason = "no permission to access one of the channels used " + "as arguments"; break; default: reason = "no permission"; |