From 8a8d050baecd8116f926ddfc458298b74b071a53 Mon Sep 17 00:00:00 2001 From: Natalia Ivakina Date: Fri, 2 Aug 2024 12:22:23 +0200 Subject: [PATCH] Add `00N70` to the notification code `CommandHasNoEffect` --- .../notifications/all-notifications.adoc | 128 +++++++++++------- 1 file changed, 81 insertions(+), 47 deletions(-) diff --git a/modules/ROOT/pages/notifications/all-notifications.adoc b/modules/ROOT/pages/notifications/all-notifications.adoc index 64195ea..6a14cf8 100644 --- a/modules/ROOT/pages/notifications/all-notifications.adoc +++ b/modules/ROOT/pages/notifications/all-notifications.adoc @@ -2081,7 +2081,7 @@ Security notifications indicate that the result of the query or command might ha Verify that this is the intended behavior of your query or command. [#_neo_clientnotification_security_commandhasnoeffect] -=== CommandHasNoEffect +=== Role or privilege not assigned .Notification details [cols="<1s,<4"] @@ -2092,9 +2092,7 @@ m|Neo.ClientNotification.Security.CommandHasNoEffect a|`` has no effect.* |Descriptions a| -- The user already has the role. See Status Codes documentation for more information. - The user does not have the role. See Status Codes documentation for more information. -- The role already has the privilege. See Status Codes documentation for more information. - The role does not have the privilege. See Status Codes documentation for more information. |Category m|SECURITY @@ -2112,34 +2110,35 @@ m|INFORMATION *_```` and `cmd` could be either the full command given by the user or a subset of the given command._ -.Granting a role to a user who already has that role + +.Revoking a role from a user who does not have that role [.tabbed-example] ===== [.include-with-neo4j-code] ====== Command:: + -[source,cypher] +[source, cypher] ---- -GRANT ROLE admin TO john +REVOKE ROLE admin, reader FROM jane ---- + Title of the returned code:: -`GRANT ROLE admin TO john` has no effect. +`REVOKE ROLE reader FROM jane` has no effect. Description of the returned code:: -The user already has the role. See Status Codes documentation for more information. +The user does not have the role. See Status Codes documentation for more information. Suggestions for improvement:: Verify that this is the intended role and user. - ====== [.include-with-GQLSTATUS-code] ====== Command:: + -[source,cypher] +[source, cypher] ---- -GRANT ROLE admin TO john +REVOKE ROLE admin, reader FROM jane ---- Returned GQLSTATUS code:: @@ -2147,16 +2146,15 @@ Returned GQLSTATUS code:: Returned status description:: note: successful completion - role or privilege not assigned. -`GRANT ROLE admin TO john` has no effect. +`REVOKE ROLE reader FROM jane` has no effect. The role or privilege is not assigned. Suggestions for improvement:: Verify that this is the intended role and user. - ====== ===== -.Revoking a role from a user who does not have that role +.Revoking a privilege from a role that does not have that privilege [.tabbed-example] ===== [.include-with-neo4j-code] @@ -2165,25 +2163,26 @@ Command:: + [source, cypher] ---- -REVOKE ROLE admin, reader FROM jane +REVOKE WRITE ON GRAPH * FROM reader ---- Title of the returned code:: -`REVOKE ROLE reader FROM jane` has no effect. +`REVOKE DENY WRITE ON GRAPH * FROM reader` has no effect. Description of the returned code:: -The user does not have the role. See Status Codes documentation for more information. +The role does not have the privilege. See Status Codes documentation for more information. Suggestions for improvement:: -Verify that this is the intended role and user. +Verify that this is the intended privilege and role. ====== [.include-with-GQLSTATUS-code] ====== + Command:: + [source, cypher] ---- -REVOKE ROLE admin, reader FROM jane +REVOKE WRITE ON GRAPH * FROM reader ---- Returned GQLSTATUS code:: @@ -2191,60 +2190,94 @@ Returned GQLSTATUS code:: Returned status description:: note: successful completion - role or privilege not assigned. -`REVOKE ROLE reader FROM jane` has no effect. +`REVOKE DENY WRITE ON GRAPH * FROM reader` has no effect. The role or privilege is not assigned. Suggestions for improvement:: -Verify that this is the intended role and user. +Verify that this is the intended privilege and role. + ====== ===== -.Granting or denying a privilege to a role that already has that privilege -// This command returns 2 notifications, one for NODES and one for RELATIONSHIPS. + +[#_neo_clientnotification_security_roleorprivilegealreadyassigned] +=== Role or privilege already assigned + +.Notification details +[cols="<1s,<4"] +|=== +|Neo4j code +m|Neo.ClientNotification.Security.CommandHasNoEffect +|Title +a|`` has no effect.* +|Descriptions +a| +- The user already has the role. See Status Codes documentation for more information. +- The role already has the privilege. See Status Codes documentation for more information. +|Category +m|SECURITY +|GQLSTATUS code +m|00N70 +|Status description +|note: successful completion - role or privilege already assigned. +`$cmd` has no effect. +The role or privilege is already assigned. +|Classification +m|SECURITY +|SeverityLevel +m|INFORMATION +|=== + +*_```` and `cmd` could be either the full command given by the user or a subset of the given command._ + + +.Granting a role to a user who already has that role [.tabbed-example] ===== [.include-with-neo4j-code] ====== Command:: + -[source, cypher] +[source,cypher] ---- -GRANT TRAVERSE ON GRAPH * TO reader +GRANT ROLE admin TO john ---- - Title of the returned code:: -`GRANT TRAVERSE ON GRAPH * NODE * TO reader` has no effect. +`GRANT ROLE admin TO john` has no effect. Description of the returned code:: -The role already has the privilege. See Status Codes documentation for more information. +The user already has the role. See Status Codes documentation for more information. Suggestions for improvement:: -Verify that this is the intended privilege and role. +Verify that this is the intended role and user. ====== [.include-with-GQLSTATUS-code] ====== Command:: + -[source, cypher] +[source,cypher] ---- -GRANT TRAVERSE ON GRAPH * TO reader +GRANT ROLE admin TO john ---- Returned GQLSTATUS code:: -00N71 +00N70 Returned status description:: -note: successful completion - role or privilege not assigned. -`GRANT TRAVERSE ON GRAPH * TO reader` has no effect. -The role or privilege is not assigned. +note: successful completion - role or privilege already assigned. +`GRANT ROLE admin TO john` has no effect. +The role or privilege is already assigned. Suggestions for improvement:: -Verify that this is the intended privilege and role. +Verify that this is the intended role and user. + ====== ===== -.Revoking a privilege from a role that does not have that privilege + +.Granting or denying a privilege to a role that already has that privilege +// This command returns 2 notifications, one for NODES and one for RELATIONSHIPS. [.tabbed-example] ===== [.include-with-neo4j-code] @@ -2253,42 +2286,43 @@ Command:: + [source, cypher] ---- -REVOKE WRITE ON GRAPH * FROM reader +GRANT TRAVERSE ON GRAPH * TO reader ---- Title of the returned code:: -`REVOKE DENY WRITE ON GRAPH * FROM reader` has no effect. +`GRANT TRAVERSE ON GRAPH * NODE * TO reader` has no effect. Description of the returned code:: -The role does not have the privilege. See Status Codes documentation for more information. +The role already has the privilege. See Status Codes documentation for more information. Suggestions for improvement:: Verify that this is the intended privilege and role. + ====== [.include-with-GQLSTATUS-code] ====== - Command:: + [source, cypher] ---- -REVOKE WRITE ON GRAPH * FROM reader +GRANT TRAVERSE ON GRAPH * TO reader ---- Returned GQLSTATUS code:: -00N71 +00N70 Returned status description:: -note: successful completion - role or privilege not assigned. -`REVOKE DENY WRITE ON GRAPH * FROM reader` has no effect. -The role or privilege is not assigned. +note: successful completion - role or privilege already assigned. +`GRANT TRAVERSE ON GRAPH * TO reader` has no effect. +The role or privilege is already assigned. Suggestions for improvement:: Verify that this is the intended privilege and role. - ====== ===== + + [#_neo_clientnotification_security_impossiblerevokecommand] === Impossible revoke command