Treat internal replicator operations as locksmith-allowed. This ensures that replicated DDL never fails due to permission checks. Cleanup replicator checks from SCL, they become redundant now. This fixes #8867: Replication stops if GRANT issued by NON-DBA user who has ADMIN role and appropriate object (table, etc) belongs to another user

Author: dyemanov

src/jrd/Attachment.cpp

@@ -315,6 +315,15 @@ Jrd::Attachment::~Attachment()
 }
 
 
+bool Attachment::locksmith(thread_db* tdbb, SystemPrivilege sp) const
+{
+	if (tdbb->tdbb_flags & TDBB_replicator)
+		return true;
+
+	const auto user = getEffectiveUserId();
+	return (user && user->locksmith(tdbb, sp));
+}
+
 Jrd::PreparedStatement* Jrd::Attachment::prepareStatement(thread_db* tdbb, jrd_tra* transaction,
 	const string& text, Firebird::MemoryPool* pool)
 {

src/jrd/Attachment.h

@@ -870,12 +870,6 @@ class Attachment : public pool_alloc<type_att>
 };
 
 
-inline bool Attachment::locksmith(thread_db* tdbb, SystemPrivilege sp) const
-{
-	const auto user = getEffectiveUserId();
-	return (user && user->locksmith(tdbb, sp));
-}
-
 inline jrd_tra* Attachment::getSysTransaction()
 {
 	return att_sys_transaction;

src/jrd/scl.epp

@@ -159,10 +159,6 @@ void SCL_check_access(thread_db* tdbb,
  **************************************/
 	SET_TDBB(tdbb);
 
-	// Allow the replicator any access to database, its permissions are already validated
-	if (tdbb->tdbb_flags & TDBB_replicator)
-		return;
-
 	const MetaName& userName = s_class->sclClassUser.second;
 
 	if (s_class && (s_class->scl_flags & SCL_corrupt))
@@ -222,10 +218,6 @@ void SCL_check_create_access(thread_db* tdbb, ObjectType type)
  **************************************/
 	SET_TDBB(tdbb);
 
-	// Allow the replicator any access to database, its permissions are already validated
-	if (tdbb->tdbb_flags & TDBB_replicator)
-		return;
-
 	Jrd::Attachment* const attachment = tdbb->getAttachment();
 
 	// Allow the locksmith any access to database