Merge pull request #1099 from Altinity/backport/24.8.14/88802

24.8.14 Backport of ClickHouse#88802 - Better access validation for `TableFunctionLoop`

Author: zvonand

src/TableFunctions/TableFunctionLoop.cpp

@@ -1,4 +1,5 @@
 #include "config.h"
+#include <Access/Common/AccessFlags.h>
 #include <TableFunctions/ITableFunction.h>
 #include <TableFunctions/TableFunctionFactory.h>
 #include <Interpreters/Context.h>
@@ -118,6 +119,7 @@ namespace DB
             storage = database->tryGetTable(loop_table_name, context);
             if (!storage)
                 throw Exception(ErrorCodes::UNKNOWN_TABLE, "Table '{}' not found in database '{}'", loop_table_name, database_name);
+            context->checkAccess(AccessType::SELECT, database_name, loop_table_name);
         }
         else
         {

tests/queries/0_stateless/03680_loop_table_function_access_check.reference

@@ -0,0 +1 @@
+foo

tests/queries/0_stateless/03680_loop_table_function_access_check.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Tags: long, no-replicated-database, no-async-insert
+
+CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CURDIR"/../shell_config.sh
+
+
+user="user03631_${CLICKHOUSE_DATABASE}_$RANDOM"
+db=${CLICKHOUSE_DATABASE}
+
+${CLICKHOUSE_CLIENT} <<EOF
+CREATE TABLE $db.test_table (s String) ENGINE = MergeTree ORDER BY s;
+INSERT INTO $db.test_table VALUES ('foo');
+
+DROP USER IF EXISTS $user;
+CREATE USER $user;
+GRANT CREATE TEMPORARY TABLE ON *.* TO $user;
+EOF
+
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM loop('$db', 'test_table') LIMIT 1; -- { serverError ACCESS_DENIED }";
+${CLICKHOUSE_CLIENT} --query "GRANT SELECT ON $db.test_table TO $user";
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM loop('$db', 'test_table') LIMIT 1";
+
+${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS $user";