Merge pull request #1256 from Altinity/backports/25.8.13/90761

25.8.13 Stable backport of ClickHouse#90761: Fix access validation for ALTER UPDATE with `remote` table function

Author: zvonand

src/TableFunctions/TableFunctionRemote.cpp

@@ -21,6 +21,7 @@
 #include <Core/Defines.h>
 #include <Core/Settings.h>
 #include <TableFunctions/registerTableFunctions.h>
+#include <Access/Common/AccessFlags.h>
 
 
 namespace DB
@@ -315,6 +316,22 @@ StoragePtr TableFunctionRemote::executeImpl(const ASTPtr & /*ast_function*/, Con
         cached_columns = getActualTableStructure(context, is_insert_query);
 
     assert(cluster);
+
+    bool has_local_shard = false;
+    for (const auto & shard_info : cluster->getShardsInfo())
+    {
+        if (shard_info.isLocal())
+        {
+            has_local_shard = true;
+            break;
+        }
+    }
+
+    if (has_local_shard && !is_insert_query)
+        context->checkAccess(AccessType::SELECT, remote_table_id);
+    else if (has_local_shard)
+        context->checkAccess(AccessType::INSERT, remote_table_id);
+
     StoragePtr res = std::make_shared<StorageDistributed>(
             StorageID(getDatabaseName(), table_name),
             cached_columns,

tests/queries/0_stateless/03727_alter_with_localhost_remote.reference

@@ -0,0 +1,30 @@
+-- Tags: no-replicated-database, no-parallel
+
+DROP USER IF EXISTS test_03727;
+CREATE USER test_03727;
+
+CREATE TABLE normal
+(
+    n Int32,
+    s String
+)
+ENGINE = MergeTree()
+ORDER BY n;
+
+CREATE TABLE secret
+(
+    s String
+)
+ENGINE = MergeTree()
+ORDER BY s;
+
+INSERT INTO normal VALUES (1, '');
+INSERT INTO secret VALUES ('secret');
+
+GRANT ALTER UPDATE ON normal TO test_03727;
+GRANT READ ON REMOTE to test_03727;
+GRANT CREATE TEMPORARY TABLE ON *.* TO test_03727;
+
+EXECUTE AS test_03727 ALTER TABLE normal UPDATE s = (SELECT * FROM remote('localhost', currentDatabase(), 'secret') LIMIT 1) WHERE n=1; -- { serverError ACCESS_DENIED }
+
+DROP USER IF EXISTS test_03727;