Loading mysql-test/r/view_grant.result +47 −3 Original line number Diff line number Diff line Loading @@ -776,15 +776,59 @@ GRANT CREATE VIEW ON db26813.v2 TO u26813@localhost; GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost; GRANT SELECT ON db26813.t1 TO u26813@localhost; ALTER VIEW v1 AS SELECT f2 FROM t1; ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1' ERROR 42000: Access denied; you need the SUPER privilege for this operation ALTER VIEW v2 AS SELECT f2 FROM t1; ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2' ERROR 42000: Access denied; you need the SUPER privilege for this operation ALTER VIEW v3 AS SELECT f2 FROM t1; ERROR 42000: Access denied; you need the SUPER privilege for this operation SHOW CREATE VIEW v3; View Create View v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1` v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1` DROP USER u26813@localhost; DROP DATABASE db26813; # # Bug#29908: A user can gain additional access through the ALTER VIEW. # CREATE DATABASE mysqltest_29908; USE mysqltest_29908; CREATE TABLE t1(f1 INT, f2 INT); CREATE USER u29908_1@localhost; CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1; CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS SELECT f1 FROM t1; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost; CREATE USER u29908_2@localhost; GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost; ALTER VIEW v1 AS SELECT f2 FROM t1; ERROR 42000: Access denied; you need the SUPER privilege for this operation ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; View Create View v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1` ALTER VIEW v1 AS SELECT f2 FROM t1; SHOW CREATE VIEW v1; View Create View v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1` ALTER VIEW v2 AS SELECT f1 FROM t1; SHOW CREATE VIEW v2; View Create View v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1` ALTER VIEW v1 AS SELECT f1 FROM t1; SHOW CREATE VIEW v1; View Create View v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1` ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; View Create View v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1` DROP USER u29908_1@localhost; DROP USER u29908_2@localhost; DROP DATABASE mysqltest_29908; ####################################################################### DROP DATABASE IF EXISTS mysqltest1; DROP DATABASE IF EXISTS mysqltest2; CREATE DATABASE mysqltest1; Loading mysql-test/t/view_grant.test +47 −2 Original line number Diff line number Diff line Loading @@ -1034,10 +1034,11 @@ GRANT SELECT ON db26813.t1 TO u26813@localhost; connect (u1,localhost,u26813,,db26813); connection u1; --error 1142 --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v1 AS SELECT f2 FROM t1; --error 1142 --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v2 AS SELECT f2 FROM t1; --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v3 AS SELECT f2 FROM t1; connection root; Loading @@ -1047,6 +1048,50 @@ DROP USER u26813@localhost; DROP DATABASE db26813; disconnect u1; --echo # --echo # Bug#29908: A user can gain additional access through the ALTER VIEW. --echo # connection root; CREATE DATABASE mysqltest_29908; USE mysqltest_29908; CREATE TABLE t1(f1 INT, f2 INT); CREATE USER u29908_1@localhost; CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1; CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS SELECT f1 FROM t1; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost; CREATE USER u29908_2@localhost; GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost; connect (u2,localhost,u29908_2,,mysqltest_29908); --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v1 AS SELECT f2 FROM t1; ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; connect (u1,localhost,u29908_1,,mysqltest_29908); ALTER VIEW v1 AS SELECT f2 FROM t1; SHOW CREATE VIEW v1; ALTER VIEW v2 AS SELECT f1 FROM t1; SHOW CREATE VIEW v2; connection root; ALTER VIEW v1 AS SELECT f1 FROM t1; SHOW CREATE VIEW v1; ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; DROP USER u29908_1@localhost; DROP USER u29908_2@localhost; DROP DATABASE mysqltest_29908; disconnect u1; disconnect u2; --echo ####################################################################### # # BUG#24040: Create View don't succed with "all privileges" on a database. # Loading sql/sql_view.cc +1 −4 Original line number Diff line number Diff line Loading @@ -223,9 +223,6 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, { LEX *lex= thd->lex; bool link_to_local; #ifndef NO_EMBEDDED_ACCESS_CHECKS bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer; #endif /* first table in list is target VIEW name => cut off it */ TABLE_LIST *view= lex->unlink_first_table(&link_to_local); TABLE_LIST *tables= lex->query_tables; Loading Loading @@ -280,7 +277,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, - same as current user - current user has SUPER_ACL */ if (definer_check_is_needed && if (lex->definer && (strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 || my_strcasecmp(system_charset_info, lex->definer->host.str, Loading Loading
mysql-test/r/view_grant.result +47 −3 Original line number Diff line number Diff line Loading @@ -776,15 +776,59 @@ GRANT CREATE VIEW ON db26813.v2 TO u26813@localhost; GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost; GRANT SELECT ON db26813.t1 TO u26813@localhost; ALTER VIEW v1 AS SELECT f2 FROM t1; ERROR 42000: CREATE VIEW command denied to user 'u26813'@'localhost' for table 'v1' ERROR 42000: Access denied; you need the SUPER privilege for this operation ALTER VIEW v2 AS SELECT f2 FROM t1; ERROR 42000: DROP command denied to user 'u26813'@'localhost' for table 'v2' ERROR 42000: Access denied; you need the SUPER privilege for this operation ALTER VIEW v3 AS SELECT f2 FROM t1; ERROR 42000: Access denied; you need the SUPER privilege for this operation SHOW CREATE VIEW v3; View Create View v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f2` AS `f2` from `t1` v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v3` AS select `t1`.`f1` AS `f1` from `t1` DROP USER u26813@localhost; DROP DATABASE db26813; # # Bug#29908: A user can gain additional access through the ALTER VIEW. # CREATE DATABASE mysqltest_29908; USE mysqltest_29908; CREATE TABLE t1(f1 INT, f2 INT); CREATE USER u29908_1@localhost; CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1; CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS SELECT f1 FROM t1; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost; CREATE USER u29908_2@localhost; GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost; ALTER VIEW v1 AS SELECT f2 FROM t1; ERROR 42000: Access denied; you need the SUPER privilege for this operation ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; View Create View v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1` ALTER VIEW v1 AS SELECT f2 FROM t1; SHOW CREATE VIEW v1; View Create View v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f2` AS `f2` from `t1` ALTER VIEW v2 AS SELECT f1 FROM t1; SHOW CREATE VIEW v2; View Create View v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f1` AS `f1` from `t1` ALTER VIEW v1 AS SELECT f1 FROM t1; SHOW CREATE VIEW v1; View Create View v1 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select `t1`.`f1` AS `f1` from `t1` ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; View Create View v2 CREATE ALGORITHM=UNDEFINED DEFINER=`u29908_1`@`localhost` SQL SECURITY INVOKER VIEW `v2` AS select `t1`.`f2` AS `f2` from `t1` DROP USER u29908_1@localhost; DROP USER u29908_2@localhost; DROP DATABASE mysqltest_29908; ####################################################################### DROP DATABASE IF EXISTS mysqltest1; DROP DATABASE IF EXISTS mysqltest2; CREATE DATABASE mysqltest1; Loading
mysql-test/t/view_grant.test +47 −2 Original line number Diff line number Diff line Loading @@ -1034,10 +1034,11 @@ GRANT SELECT ON db26813.t1 TO u26813@localhost; connect (u1,localhost,u26813,,db26813); connection u1; --error 1142 --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v1 AS SELECT f2 FROM t1; --error 1142 --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v2 AS SELECT f2 FROM t1; --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v3 AS SELECT f2 FROM t1; connection root; Loading @@ -1047,6 +1048,50 @@ DROP USER u26813@localhost; DROP DATABASE db26813; disconnect u1; --echo # --echo # Bug#29908: A user can gain additional access through the ALTER VIEW. --echo # connection root; CREATE DATABASE mysqltest_29908; USE mysqltest_29908; CREATE TABLE t1(f1 INT, f2 INT); CREATE USER u29908_1@localhost; CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1; CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS SELECT f1 FROM t1; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost; CREATE USER u29908_2@localhost; GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost; GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost; GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost; connect (u2,localhost,u29908_2,,mysqltest_29908); --error ER_SPECIFIC_ACCESS_DENIED_ERROR ALTER VIEW v1 AS SELECT f2 FROM t1; ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; connect (u1,localhost,u29908_1,,mysqltest_29908); ALTER VIEW v1 AS SELECT f2 FROM t1; SHOW CREATE VIEW v1; ALTER VIEW v2 AS SELECT f1 FROM t1; SHOW CREATE VIEW v2; connection root; ALTER VIEW v1 AS SELECT f1 FROM t1; SHOW CREATE VIEW v1; ALTER VIEW v2 AS SELECT f2 FROM t1; SHOW CREATE VIEW v2; DROP USER u29908_1@localhost; DROP USER u29908_2@localhost; DROP DATABASE mysqltest_29908; disconnect u1; disconnect u2; --echo ####################################################################### # # BUG#24040: Create View don't succed with "all privileges" on a database. # Loading
sql/sql_view.cc +1 −4 Original line number Diff line number Diff line Loading @@ -223,9 +223,6 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, { LEX *lex= thd->lex; bool link_to_local; #ifndef NO_EMBEDDED_ACCESS_CHECKS bool definer_check_is_needed= mode != VIEW_ALTER || lex->definer; #endif /* first table in list is target VIEW name => cut off it */ TABLE_LIST *view= lex->unlink_first_table(&link_to_local); TABLE_LIST *tables= lex->query_tables; Loading Loading @@ -280,7 +277,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views, - same as current user - current user has SUPER_ACL */ if (definer_check_is_needed && if (lex->definer && (strcmp(lex->definer->user.str, thd->security_ctx->priv_user) != 0 || my_strcasecmp(system_charset_info, lex->definer->host.str, Loading
