Fix ##8462: Allow a user with the "GRANT_REVOKE_ON_ANY_OBJECT" privil…

…ege to revoke permissions that were granted by someone other (cherry picked from commit b1c1202)
FirebirdSQL · Mar 10, 2025 · 9676433 · 9676433
1 parent c9928ad
commit 9676433
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/dsql/DdlNodes.epp b/src/dsql/DdlNodes.epp
@@ -11993,11 +11993,11 @@ void GrantRevokeNode::grantRevoke(thread_db* tdbb, jrd_tra* transaction, const G
 
 					MetaName owner;
 					if ((grantorRevoker == PRIV.RDB$GRANTOR) ||
+						(attachment->locksmith(tdbb, GRANT_REVOKE_ON_ANY_OBJECT) ||	// God-like check
 						((objType == obj_sql_role) && (PRIV.RDB$PRIVILEGE[0] == 'M') &&		// This is ROLE to USER grant
 						 (currentUser != user) &&						// And current user does not revoke his own grant
-						 ((isItSqlRole(tdbb, transaction, objName, owner) &&		// Pick up role owner name
-						   (attachment->locksmith(tdbb, GRANT_REVOKE_ON_ANY_OBJECT) ||	// God-like check
-						    (owner == currentUser))) ||					// Current user is role owner
+						 (isItSqlRole(tdbb, transaction, objName, owner) &&		// Pick up role owner name
+						    (owner == currentUser)) ||							// Current user is role owner
 						  (getGrantorOption(tdbb, transaction, currentUser, obj_user, objName) == 2))))	// or has ADMIN option
 					{
 						MetaName newField = NULL;