From 26b49de97b043caf8f65919a315ced9de7768e3f Mon Sep 17 00:00:00 2001
From: pufit <pufit.dev@gmail.com>
Date: Wed, 22 Oct 2025 11:30:28 +0000
Subject: [PATCH] Merge pull request #88802 from
 ClickHouse/pufit/fix-table-function-access

Better access validation for `TableFunctionLoop`
---
 src/TableFunctions/TableFunctionLoop.cpp      |  2 ++
 ...loop_table_function_access_check.reference |  1 +
 .../03680_loop_table_function_access_check.sh | 25 +++++++++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 tests/queries/0_stateless/03680_loop_table_function_access_check.reference
 create mode 100755 tests/queries/0_stateless/03680_loop_table_function_access_check.sh

diff --git a/src/TableFunctions/TableFunctionLoop.cpp b/src/TableFunctions/TableFunctionLoop.cpp
index 43f122f6cb34..f3456b41a42f 100644
--- a/src/TableFunctions/TableFunctionLoop.cpp
+++ b/src/TableFunctions/TableFunctionLoop.cpp
@@ -1,4 +1,5 @@
 #include "config.h"
+#include <Access/Common/AccessFlags.h>
 #include <TableFunctions/ITableFunction.h>
 #include <TableFunctions/TableFunctionFactory.h>
 #include <Interpreters/Context.h>
@@ -118,6 +119,7 @@ namespace DB
             storage = database->tryGetTable(loop_table_name, context);
             if (!storage)
                 throw Exception(ErrorCodes::UNKNOWN_TABLE, "Table '{}' not found in database '{}'", loop_table_name, database_name);
+            context->checkAccess(AccessType::SELECT, database_name, loop_table_name);
         }
         else
         {
diff --git a/tests/queries/0_stateless/03680_loop_table_function_access_check.reference b/tests/queries/0_stateless/03680_loop_table_function_access_check.reference
new file mode 100644
index 000000000000..257cc5642cb1
--- /dev/null
+++ b/tests/queries/0_stateless/03680_loop_table_function_access_check.reference
@@ -0,0 +1 @@
+foo
diff --git a/tests/queries/0_stateless/03680_loop_table_function_access_check.sh b/tests/queries/0_stateless/03680_loop_table_function_access_check.sh
new file mode 100755
index 000000000000..cb2f3a08ceaf
--- /dev/null
+++ b/tests/queries/0_stateless/03680_loop_table_function_access_check.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Tags: long, no-replicated-database, no-async-insert
+
+CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+# shellcheck source=../shell_config.sh
+. "$CURDIR"/../shell_config.sh
+
+
+user="user03631_${CLICKHOUSE_DATABASE}_$RANDOM"
+db=${CLICKHOUSE_DATABASE}
+
+${CLICKHOUSE_CLIENT} <<EOF
+CREATE TABLE $db.test_table (s String) ENGINE = MergeTree ORDER BY s;
+INSERT INTO $db.test_table VALUES ('foo');
+
+DROP USER IF EXISTS $user;
+CREATE USER $user;
+GRANT CREATE TEMPORARY TABLE ON *.* TO $user;
+EOF
+
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM loop('$db', 'test_table') LIMIT 1; -- { serverError ACCESS_DENIED }";
+${CLICKHOUSE_CLIENT} --query "GRANT SELECT ON $db.test_table TO $user";
+${CLICKHOUSE_CLIENT} --user $user --query "SELECT * FROM loop('$db', 'test_table') LIMIT 1";
+
+${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS $user";