Fixed loophole in privilege check.

jgebal · jgebal · commit e25c375c7161 · 2019-11-12T01:09:13.000Z
diff --git a/source/core/types/ut_executable_test.tpb b/source/core/types/ut_executable_test.tpb
@@ -56,7 +56,7 @@ create or replace type body ut_executable_test as
         l_fail_message := 'Expected one of exceptions ('||l_expected_error_codes||') but nothing was raised.';
       else
         l_actual_error_no := regexp_substr(self.error_stack, '^[a-zA-Z]{3}(-[0-9]+)', subexpression=>1);
-        if not l_actual_error_no member of a_expected_error_codes then
+        if not l_actual_error_no member of a_expected_error_codes or l_actual_error_no is null then
           l_fail_message := 'Actual: '||l_actual_error_no||' was expected to ';
           if cardinality(a_expected_error_codes) > 1 then
             l_fail_message := l_fail_message || 'be one of: ('||l_expected_error_codes||')';
diff --git a/source/core/ut_metadata.pkb b/source/core/ut_metadata.pkb
@@ -123,7 +123,7 @@ create or replace package body ut_metadata as
   function user_has_execute_any_proc return boolean is
     l_ut_owner     varchar2(250) := ut_utils.ut_owner;
   begin
-    return is_object_visible(l_ut_owner||'.ut_utils');
+    return is_object_visible(l_ut_owner||'.ut_utils') and sys_context('userenv','current_schema') != l_ut_owner;
   end;
 
   function is_object_visible(a_object_name varchar2) return boolean is
diff --git a/source/core/ut_suite_manager.pkb b/source/core/ut_suite_manager.pkb
@@ -373,7 +373,10 @@ create or replace package body ut_suite_manager is
     a_owner_name         varchar2
   ) return boolean is
   begin
-    return sys_context( 'userenv', 'current_schema' ) = a_owner_name or ut_metadata.user_has_execute_any_proc() or ut_trigger_check.is_alive();
+    return sys_context( 'userenv', 'current_schema' ) = a_owner_name or ut_metadata.user_has_execute_any_proc()
+        or ( ut_trigger_check.is_alive()
+             and ut_annotation_cache_manager.get_cache_schema_info(a_owner_name, 'PACKAGE').full_refresh_time is not null
+           );
   end;
 
   procedure build_and_cache_suites(
