sql server - User can delete rows from a table by calling a procedure -

i'm getting confused sql server security

• we have login , user: test

• we have table: dbo.tblsessionfilter

user test has no select , no delete permission on table (i tested this!!)

• then have procedure:

  create procedure dbo.procfilter_clear execute caller     delete dbo.tblsessionfilter     spid = @@spid 

user test has execute right on procedure.

and now, user test can call procedure , can delete entries table; although has no direct delete access on table, , procedure execute caller !

how possible ?

is because procedure , table in same schema?

see ownership chains:

when multiple database objects access each other sequentially, sequence known chain. although such chains not independently exist, when sql server traverses links in chain, sql server evaluates permissions on constituent objects differently if accessing objects separately.

and,

when object accessed through chain, sql server first compares owner of object owner of calling object. previous link in chain. if both objects have same owner, permissions on referenced object not evaluated.

(my emphasis)