Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
7944320f
Commit
7944320f
authored
Sep 29, 2011
by
Tatjana Azundris Nuernberg
Browse files
Options
Browse Files
Download
Plain Diff
manual merge
parents
1922d65f
8932ae21
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
604 additions
and
15 deletions
+604
-15
mysql-test/r/view_grant.result
mysql-test/r/view_grant.result
+215
-9
mysql-test/t/view_grant.test
mysql-test/t/view_grant.test
+357
-4
sql/sql_view.cc
sql/sql_view.cc
+32
-2
No files found.
mysql-test/r/view_grant.result
View file @
7944320f
...
...
@@ -66,10 +66,12 @@ create view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1;
create algorithm=temptable view mysqltest.v2 (c,d) as select a+1,b+1 from mysqltest.t1;
create view mysqltest.v3 (c,d) as select a+1,b+1 from mysqltest.t2;
create algorithm=temptable view mysqltest.v4 (c,d) as select a+1,b+1 from mysqltest.t2;
create view mysqltest.v5 (c,d) as select a+1,b+1 from mysqltest.t1;
grant select on mysqltest.v1 to mysqltest_1@localhost;
grant select on mysqltest.v2 to mysqltest_1@localhost;
grant select on mysqltest.v3 to mysqltest_1@localhost;
grant select on mysqltest.v4 to mysqltest_1@localhost;
grant show view on mysqltest.v5 to mysqltest_1@localhost;
select c from mysqltest.v1;
c
select c from mysqltest.v2;
...
...
@@ -78,6 +80,8 @@ select c from mysqltest.v3;
c
select c from mysqltest.v4;
c
select c from mysqltest.v5;
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 'v5'
show columns from mysqltest.v1;
Field Type Null Key Default Extra
c bigint(12) YES NULL
...
...
@@ -102,16 +106,25 @@ explain select c from mysqltest.v4;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
show create view mysqltest.v4;
ERROR 42000: SHOW VIEW command denied to user 'mysqltest_1'@'localhost' for table 'v4'
explain select c from mysqltest.v5;
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 'v5'
show create view mysqltest.v5;
View Create View character_set_client collation_connection
v5 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `mysqltest`.`v5` AS select (`mysqltest`.`t1`.`a` + 1) AS `c`,(`mysqltest`.`t1`.`b` + 1) AS `d` from `mysqltest`.`t1` latin1 latin1_swedish_ci
explain select c from mysqltest.v1;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
show create view mysqltest.v1;
ERROR 42000: SHOW VIEW command denied to user 'mysqltest_1'@'localhost' for table 'v1'
grant show view on mysqltest.v1 to mysqltest_1@localhost;
grant select on mysqltest.t1 to mysqltest_1@localhost;
explain select c from mysqltest.v1;
id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t1 system NULL NULL NULL NULL 0 const row not found
show create view mysqltest.v1;
ERROR 42000: SHOW VIEW command denied to user 'mysqltest_1'@'localhost' for table 'v1'
View Create View character_set_client collation_connection
v1 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `mysqltest`.`v1` AS select (`mysqltest`.`t1`.`a` + 1) AS `c`,(`mysqltest`.`t1`.`b` + 1) AS `d` from `mysqltest`.`t1` latin1 latin1_swedish_ci
explain select c from mysqltest.v2;
id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY <derived2> system NULL NULL NULL NULL 0 const row not found
2 DERIVED NULL NULL NULL NULL NULL NULL NULL no matching row in const table
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
show create view mysqltest.v2;
ERROR 42000: SHOW VIEW command denied to user 'mysqltest_1'@'localhost' for table 'v2'
explain select c from mysqltest.v3;
...
...
@@ -122,6 +135,11 @@ explain select c from mysqltest.v4;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
show create view mysqltest.v4;
ERROR 42000: SHOW VIEW command denied to user 'mysqltest_1'@'localhost' for table 'v4'
explain select c from mysqltest.v5;
ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 'v5'
show create view mysqltest.v5;
View Create View character_set_client collation_connection
v5 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `mysqltest`.`v5` AS select (`mysqltest`.`t1`.`a` + 1) AS `c`,(`mysqltest`.`t1`.`b` + 1) AS `d` from `mysqltest`.`t1` latin1 latin1_swedish_ci
grant show view on mysqltest.* to mysqltest_1@localhost;
explain select c from mysqltest.v1;
id select_type table type possible_keys key key_len ref rows Extra
...
...
@@ -137,15 +155,12 @@ show create view mysqltest.v2;
View Create View character_set_client collation_connection
v2 CREATE ALGORITHM=TEMPTABLE DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `mysqltest`.`v2` AS select (`mysqltest`.`t1`.`a` + 1) AS `c`,(`mysqltest`.`t1`.`b` + 1) AS `d` from `mysqltest`.`t1` latin1 latin1_swedish_ci
explain select c from mysqltest.v3;
id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t2 system NULL NULL NULL NULL 0 const row not found
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
show create view mysqltest.v3;
View Create View character_set_client collation_connection
v3 CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `mysqltest`.`v3` AS select (`mysqltest`.`t2`.`a` + 1) AS `c`,(`mysqltest`.`t2`.`b` + 1) AS `d` from `mysqltest`.`t2` latin1 latin1_swedish_ci
explain select c from mysqltest.v4;
id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY <derived2> system NULL NULL NULL NULL 0 const row not found
2 DERIVED NULL NULL NULL NULL NULL NULL NULL no matching row in const table
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
show create view mysqltest.v4;
View Create View character_set_client collation_connection
v4 CREATE ALGORITHM=TEMPTABLE DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `mysqltest`.`v4` AS select (`mysqltest`.`t2`.`a` + 1) AS `c`,(`mysqltest`.`t2`.`b` + 1) AS `d` from `mysqltest`.`t2` latin1 latin1_swedish_ci
...
...
@@ -947,6 +962,197 @@ DROP USER foo;
DROP VIEW db1.v1;
DROP TABLE db1.t1;
DROP DATABASE db1;
Bug #11765687/#58677:
No privilege on table/view, but can know #rows / underlying table's name
create database mysqltest1;
create table mysqltest1.t1 (i int);
create table mysqltest1.t2 (j int);
create table mysqltest1.t3 (k int, secret int);
create user alice@localhost;
create user bob@localhost;
create user cecil@localhost;
create user dan@localhost;
create user eugene@localhost;
create user fiona@localhost;
create user greg@localhost;
create user han@localhost;
create user inga@localhost;
create user jamie@localhost;
create user karl@localhost;
create user lena@localhost;
create user mhairi@localhost;
create user noam@localhost;
create user olga@localhost;
create user pjotr@localhost;
create user quintessa@localhost;
grant all privileges on mysqltest1.* to alice@localhost with grant option;
... as alice
create view v1 as select * from t1;
create view v2 as select * from v1, t2;
create view v3 as select k from t3;
grant select on mysqltest1.v1 to bob@localhost;
grant show view on mysqltest1.v1 to cecil@localhost;
grant select, show view on mysqltest1.v1 to dan@localhost;
grant select on mysqltest1.t1 to dan@localhost;
grant select on mysqltest1.* to eugene@localhost;
grant select, show view on mysqltest1.v2 to fiona@localhost;
grant select, show view on mysqltest1.v2 to greg@localhost;
grant show view on mysqltest1.v1 to greg@localhost;
grant select(k) on mysqltest1.t3 to han@localhost;
grant select, show view on mysqltest1.v3 to han@localhost;
grant select on mysqltest1.t1 to inga@localhost;
grant select on mysqltest1.t2 to inga@localhost;
grant select on mysqltest1.v1 to inga@localhost;
grant select, show view on mysqltest1.v2 to inga@localhost;
grant select on mysqltest1.t1 to jamie@localhost;
grant select on mysqltest1.t2 to jamie@localhost;
grant show view on mysqltest1.v1 to jamie@localhost;
grant select, show view on mysqltest1.v2 to jamie@localhost;
grant select on mysqltest1.t1 to karl@localhost;
grant select on mysqltest1.t2 to karl@localhost;
grant select, show view on mysqltest1.v1 to karl@localhost;
grant select on mysqltest1.v2 to karl@localhost;
grant select on mysqltest1.t1 to lena@localhost;
grant select on mysqltest1.t2 to lena@localhost;
grant select, show view on mysqltest1.v1 to lena@localhost;
grant show view on mysqltest1.v2 to lena@localhost;
grant select on mysqltest1.t1 to mhairi@localhost;
grant select on mysqltest1.t2 to mhairi@localhost;
grant select, show view on mysqltest1.v1 to mhairi@localhost;
grant select, show view on mysqltest1.v2 to mhairi@localhost;
grant select on mysqltest1.t1 to noam@localhost;
grant select, show view on mysqltest1.v1 to noam@localhost;
grant select, show view on mysqltest1.v2 to noam@localhost;
grant select on mysqltest1.t2 to olga@localhost;
grant select, show view on mysqltest1.v1 to olga@localhost;
grant select, show view on mysqltest1.v2 to olga@localhost;
grant select on mysqltest1.t1 to pjotr@localhost;
grant select on mysqltest1.t2 to pjotr@localhost;
grant select, show view on mysqltest1.v2 to pjotr@localhost;
grant select, show view on mysqltest1.v1 to quintessa@localhost;
... as bob
select * from v1;
i
explain select * from v1;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as cecil
select * from v1;
ERROR 42000: SELECT command denied to user 'cecil'@'localhost' for table 'v1'
explain select * from v1;
ERROR 42000: SELECT command denied to user 'cecil'@'localhost' for table 'v1'
... as dan
select * from v1;
i
explain select * from v1;
id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t1 system NULL NULL NULL NULL 0 const row not found
... as eugene
select * from v1;
i
explain select * from v1;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as fiona
select * from v2;
i j
show create view v2;
View Create View character_set_client collation_connection
v2 CREATE ALGORITHM=UNDEFINED DEFINER=`alice`@`localhost` SQL SECURITY DEFINER VIEW `v2` AS select `v1`.`i` AS `i`,`t2`.`j` AS `j` from (`v1` join `t2`) latin1 latin1_swedish_ci
explain select * from t1;
ERROR 42000: SELECT command denied to user 'fiona'@'localhost' for table 't1'
explain select * from v1;
ERROR 42000: SELECT command denied to user 'fiona'@'localhost' for table 'v1'
explain select * from t2;
ERROR 42000: SELECT command denied to user 'fiona'@'localhost' for table 't2'
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as greg
select * from v2;
i j
explain select * from v1;
ERROR 42000: SELECT command denied to user 'greg'@'localhost' for table 'v1'
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as han
select * from t3;
ERROR 42000: SELECT command denied to user 'han'@'localhost' for table 't3'
explain select * from t3;
ERROR 42000: SELECT command denied to user 'han'@'localhost' for table 't3'
select k from t3;
k
explain select k from t3;
id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t3 system NULL NULL NULL NULL 0 const row not found
select * from v3;
k
explain select * from v3;
id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t3 system NULL NULL NULL NULL 0 const row not found
... as inga
select * from v2;
i j
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as jamie
select * from v2;
i j
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as karl
select * from v2;
i j
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as lena
select * from v2;
ERROR 42000: SELECT command denied to user 'lena'@'localhost' for table 'v2'
explain select * from v2;
ERROR 42000: SELECT command denied to user 'lena'@'localhost' for table 'v2'
... as mhairi
select * from v2;
i j
explain select * from v2;
id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t1 system NULL NULL NULL NULL 0 const row not found
1 SIMPLE t2 system NULL NULL NULL NULL 0 const row not found
... as noam
select * from v2;
i j
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as olga
select * from v2;
i j
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as pjotr
select * from v2;
i j
explain select * from v2;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as quintessa
select * from v1;
i
explain select * from v1;
ERROR HY000: EXPLAIN/SHOW can not be issued; lacking privileges for underlying table
... as root again at last: clean-up time!
drop user alice@localhost;
drop user bob@localhost;
drop user cecil@localhost;
drop user dan@localhost;
drop user eugene@localhost;
drop user fiona@localhost;
drop user greg@localhost;
drop user han@localhost;
drop user inga@localhost;
drop user jamie@localhost;
drop user karl@localhost;
drop user lena@localhost;
drop user mhairi@localhost;
drop user noam@localhost;
drop user olga@localhost;
drop user pjotr@localhost;
drop user quintessa@localhost;
drop database mysqltest1;
End of 5.0 tests.
DROP VIEW IF EXISTS v1;
DROP TABLE IF EXISTS t1;
...
...
mysql-test/t/view_grant.test
View file @
7944320f
...
...
@@ -127,21 +127,26 @@ create view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1;
create
algorithm
=
temptable
view
mysqltest
.
v2
(
c
,
d
)
as
select
a
+
1
,
b
+
1
from
mysqltest
.
t1
;
create
view
mysqltest
.
v3
(
c
,
d
)
as
select
a
+
1
,
b
+
1
from
mysqltest
.
t2
;
create
algorithm
=
temptable
view
mysqltest
.
v4
(
c
,
d
)
as
select
a
+
1
,
b
+
1
from
mysqltest
.
t2
;
# v5: SHOW VIEW, but no SELECT
create
view
mysqltest
.
v5
(
c
,
d
)
as
select
a
+
1
,
b
+
1
from
mysqltest
.
t1
;
grant
select
on
mysqltest
.
v1
to
mysqltest_1
@
localhost
;
grant
select
on
mysqltest
.
v2
to
mysqltest_1
@
localhost
;
grant
select
on
mysqltest
.
v3
to
mysqltest_1
@
localhost
;
grant
select
on
mysqltest
.
v4
to
mysqltest_1
@
localhost
;
grant
show
view
on
mysqltest
.
v5
to
mysqltest_1
@
localhost
;
connection
user1
;
# all
selects work
s
# all
SELECTs works, except v5 which lacks SELECT priv
s
select
c
from
mysqltest
.
v1
;
select
c
from
mysqltest
.
v2
;
select
c
from
mysqltest
.
v3
;
select
c
from
mysqltest
.
v4
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
c
from
mysqltest
.
v5
;
# test of show coluns
show
columns
from
mysqltest
.
v1
;
show
columns
from
mysqltest
.
v2
;
#
but explain/show do not
#
explain/show fail
--
error
ER_VIEW_NO_EXPLAIN
explain
select
c
from
mysqltest
.
v1
;
--
error
ER_TABLEACCESS_DENIED_ERROR
...
...
@@ -158,15 +163,26 @@ show create view mysqltest.v3;
explain
select
c
from
mysqltest
.
v4
;
--
error
ER_TABLEACCESS_DENIED_ERROR
show
create
view
mysqltest
.
v4
;
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
c
from
mysqltest
.
v5
;
show
create
view
mysqltest
.
v5
;
# missing SELECT on underlying t1, no SHOW VIEW on v1 either.
--
error
ER_VIEW_NO_EXPLAIN
explain
select
c
from
mysqltest
.
v1
;
# missing SHOW VIEW
--
error
ER_TABLEACCESS_DENIED_ERROR
show
create
view
mysqltest
.
v1
;
# allow to see one of underlying table
connection
root
;
grant
show
view
on
mysqltest
.
v1
to
mysqltest_1
@
localhost
;
grant
select
on
mysqltest
.
t1
to
mysqltest_1
@
localhost
;
connection
user1
;
# EXPLAIN
of view on above table
works
# EXPLAIN works
explain
select
c
from
mysqltest
.
v1
;
--
error
ER_TABLEACCESS_DENIED_ERROR
show
create
view
mysqltest
.
v1
;
# missing SHOW VIEW
--
error
ER_VIEW_NO_EXPLAIN
explain
select
c
from
mysqltest
.
v2
;
--
error
ER_TABLEACCESS_DENIED_ERROR
show
create
view
mysqltest
.
v2
;
...
...
@@ -179,6 +195,11 @@ show create view mysqltest.v3;
explain
select
c
from
mysqltest
.
v4
;
--
error
ER_TABLEACCESS_DENIED_ERROR
show
create
view
mysqltest
.
v4
;
# we have SHOW VIEW on v5, and SELECT on t1 -- not enough
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
c
from
mysqltest
.
v5
;
# we can SHOW CREATE VIEW though
show
create
view
mysqltest
.
v5
;
# allow to see any view in mysqltest database
connection
root
;
...
...
@@ -188,8 +209,12 @@ explain select c from mysqltest.v1;
show
create
view
mysqltest
.
v1
;
explain
select
c
from
mysqltest
.
v2
;
show
create
view
mysqltest
.
v2
;
# have SHOW VIEW | SELECT on v3, but no SELECT on t2
--
error
ER_VIEW_NO_EXPLAIN
explain
select
c
from
mysqltest
.
v3
;
show
create
view
mysqltest
.
v3
;
# have SHOW VIEW | SELECT on v4, but no SELECT on t2
--
error
ER_VIEW_NO_EXPLAIN
explain
select
c
from
mysqltest
.
v4
;
show
create
view
mysqltest
.
v4
;
...
...
@@ -1237,6 +1262,334 @@ DROP VIEW db1.v1;
DROP
TABLE
db1
.
t1
;
DROP
DATABASE
db1
;
connection
default
;
--
echo
Bug
#11765687/#58677:
--
echo
No
privilege
on
table
/
view
,
but
can
know
#rows / underlying table's name
# As a root-like user
connect
(
root
,
localhost
,
root
,,
test
);
connection
root
;
create
database
mysqltest1
;
create
table
mysqltest1
.
t1
(
i
int
);
create
table
mysqltest1
.
t2
(
j
int
);
create
table
mysqltest1
.
t3
(
k
int
,
secret
int
);
create
user
alice
@
localhost
;
create
user
bob
@
localhost
;
create
user
cecil
@
localhost
;
create
user
dan
@
localhost
;
create
user
eugene
@
localhost
;
create
user
fiona
@
localhost
;
create
user
greg
@
localhost
;
create
user
han
@
localhost
;
create
user
inga
@
localhost
;
create
user
jamie
@
localhost
;
create
user
karl
@
localhost
;
create
user
lena
@
localhost
;
create
user
mhairi
@
localhost
;
create
user
noam
@
localhost
;
create
user
olga
@
localhost
;
create
user
pjotr
@
localhost
;
create
user
quintessa
@
localhost
;
grant
all
privileges
on
mysqltest1
.*
to
alice
@
localhost
with
grant
option
;
#
--
echo
...
as
alice
connect
(
test11765687
,
localhost
,
alice
,,
mysqltest1
);
connection
test11765687
;
create
view
v1
as
select
*
from
t1
;
create
view
v2
as
select
*
from
v1
,
t2
;
create
view
v3
as
select
k
from
t3
;
grant
select
on
mysqltest1
.
v1
to
bob
@
localhost
;
grant
show
view
on
mysqltest1
.
v1
to
cecil
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v1
to
dan
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
dan
@
localhost
;
grant
select
on
mysqltest1
.*
to
eugene
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
fiona
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
greg
@
localhost
;
grant
show
view
on
mysqltest1
.
v1
to
greg
@
localhost
;
grant
select
(
k
)
on
mysqltest1
.
t3
to
han
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v3
to
han
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
inga
@
localhost
;
grant
select
on
mysqltest1
.
t2
to
inga
@
localhost
;
grant
select
on
mysqltest1
.
v1
to
inga
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
inga
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
jamie
@
localhost
;
grant
select
on
mysqltest1
.
t2
to
jamie
@
localhost
;
grant
show
view
on
mysqltest1
.
v1
to
jamie
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
jamie
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
karl
@
localhost
;
grant
select
on
mysqltest1
.
t2
to
karl
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v1
to
karl
@
localhost
;
grant
select
on
mysqltest1
.
v2
to
karl
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
lena
@
localhost
;
grant
select
on
mysqltest1
.
t2
to
lena
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v1
to
lena
@
localhost
;
grant
show
view
on
mysqltest1
.
v2
to
lena
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
mhairi
@
localhost
;
grant
select
on
mysqltest1
.
t2
to
mhairi
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v1
to
mhairi
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
mhairi
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
noam
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v1
to
noam
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
noam
@
localhost
;
grant
select
on
mysqltest1
.
t2
to
olga
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v1
to
olga
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
olga
@
localhost
;
grant
select
on
mysqltest1
.
t1
to
pjotr
@
localhost
;
grant
select
on
mysqltest1
.
t2
to
pjotr
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v2
to
pjotr
@
localhost
;
grant
select
,
show
view
on
mysqltest1
.
v1
to
quintessa
@
localhost
;
disconnect
test11765687
;
#
--
echo
...
as
bob
connect
(
test11765687
,
localhost
,
bob
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v1
;
# Should succeed.
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v1
;
# fail, no SHOW_VIEW
disconnect
test11765687
;
#
--
echo
...
as
cecil
connect
(
test11765687
,
localhost
,
cecil
,,
mysqltest1
);
connection
test11765687
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
*
from
v1
;
# fail, no SELECT
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
*
from
v1
;
# fail, no SELECT
disconnect
test11765687
;
#
--
echo
...
as
dan
connect
(
test11765687
,
localhost
,
dan
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v1
;
# Should succeed.
explain
select
*
from
v1
;
# Should succeed.
disconnect
test11765687
;
#
--
echo
...
as
eugene
connect
(
test11765687
,
localhost
,
eugene
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v1
;
# Should succeed.
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v1
;
# fail, no SHOW_VIEW
disconnect
test11765687
;
#
--
echo
...
as
fiona
connect
(
test11765687
,
localhost
,
fiona
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# Should succeed.
show
create
view
v2
;
# Should succeed, but...
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
*
from
t1
;
# fail, shouldn't see t1!
--
error
ER_TABLEACCESS_DENIED_ERROR
# err msg must give view name, no table names!!
explain
select
*
from
v1
;
# fail, have no privs on v1!
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
*
from
t2
;
# fail, have no privs on t2!
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
# fail, shouldn't see t2!
disconnect
test11765687
;
#
--
echo
...
as
greg
connect
(
test11765687
,
localhost
,
greg
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# Should succeed.
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
*
from
v1
;
# fail; no SELECT on v1!
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
# fail; no SELECT on v1!
disconnect
test11765687
;
#
--
echo
...
as
han
connect
(
test11765687
,
localhost
,
han
,,
mysqltest1
);
connection
test11765687
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
*
from
t3
;
# don't have privs on all columns,
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
*
from
t3
;
# so EXPLAIN on "forbidden" columns should fail.
select
k
from
t3
;
# but we do have SELECT on column k though,
explain
select
k
from
t3
;
# so EXPLAIN just on k should work,
select
*
from
v3
;
# and so should SELECT on view only using allowed columns
explain
select
*
from
v3
;
# as should the associated EXPLAIN
disconnect
test11765687
;
#
--
echo
...
as
inga
connect
(
test11765687
,
localhost
,
inga
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# has sel/show on v2, sel on t1/t2, only sel v1
# fail: lacks show on v1
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
jamie
connect
(
test11765687
,
localhost
,
jamie
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# has sel/show on v2, sel on t1/t2, only show v1
# fail: lacks sel on v1
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
karl
connect
(
test11765687
,
localhost
,
karl
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# has sel only on v2, sel on t1/t2, sel/show v1
# fail: lacks show on v2
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
lena
connect
(
test11765687
,
localhost
,
lena
,,
mysqltest1
);
connection
test11765687
;
--
error
ER_TABLEACCESS_DENIED_ERROR
select
*
from
v2
;
# has show only on v2, sel on t1/t2, sel/show v1
# fail: lacks sel on v2
--
error
ER_TABLEACCESS_DENIED_ERROR
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
mhairi
connect
(
test11765687
,
localhost
,
mhairi
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# has sel/show on v2, sel on t1/t2, sel/show v1
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
noam
connect
(
test11765687
,
localhost
,
noam
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# has sel/show on v2, sel only on t1, sel/show v1 (no sel on t2!)
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
olga
connect
(
test11765687
,
localhost
,
olga
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# has sel/show on v2, sel only on t2, sel/show v1 (no sel on t1!)
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
pjotr
connect
(
test11765687
,
localhost
,
pjotr
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v2
;
# has sel/show on v2, sel only on t2, nothing on v1
# fail: lacks show on v1
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v2
;
disconnect
test11765687
;
#
--
echo
...
as
quintessa
connect
(
test11765687
,
localhost
,
quintessa
,,
mysqltest1
);
connection
test11765687
;
select
*
from
v1
;
# Should succeed.
--
error
ER_VIEW_NO_EXPLAIN
explain
select
*
from
v1
;
# fail: lacks select on t1
disconnect
test11765687
;
# cleanup
#
--
echo
...
as
root
again
at
last
:
clean
-
up
time
!
connection
root
;
drop
user
alice
@
localhost
;
drop
user
bob
@
localhost
;
drop
user
cecil
@
localhost
;
drop
user
dan
@
localhost
;
drop
user
eugene
@
localhost
;
drop
user
fiona
@
localhost
;
drop
user
greg
@
localhost
;
drop
user
han
@
localhost
;
drop
user
inga
@
localhost
;
drop
user
jamie
@
localhost
;
drop
user
karl
@
localhost
;
drop
user
lena
@
localhost
;
drop
user
mhairi
@
localhost
;
drop
user
noam
@
localhost
;
drop
user
olga
@
localhost
;
drop
user
pjotr
@
localhost
;
drop
user
quintessa
@
localhost
;
drop
database
mysqltest1
;
disconnect
root
;
connection
default
;
--
echo
End
of
5.0
tests
.
...
...
sql/sql_view.cc
View file @
7944320f
...
...
@@ -1265,8 +1265,38 @@ bool mysql_make_view(THD *thd, File_parser *parser, TABLE_LIST *table,
if
(
!
table
->
prelocking_placeholder
&&
(
old_lex
->
sql_command
==
SQLCOM_SELECT
&&
old_lex
->
describe
))
{
if
(
check_table_access
(
thd
,
SELECT_ACL
,
view_tables
,
UINT_MAX
,
TRUE
)
&&
check_table_access
(
thd
,
SHOW_VIEW_ACL
,
table
,
UINT_MAX
,
TRUE
))
/*
The user we run EXPLAIN as (either the connected user who issued
the EXPLAIN statement, or the definer of a SUID stored routine
which contains the EXPLAIN) should have both SHOW_VIEW_ACL and
SELECT_ACL on the view being opened as well as on all underlying
views since EXPLAIN will disclose their structure. This user also
should have SELECT_ACL on all underlying tables of the view since
this EXPLAIN will disclose information about the number of rows in it.
To perform this privilege check we create auxiliary TABLE_LIST object
for the view in order a) to avoid trashing "table->grant" member for
original table list element, which contents can be important at later
stage for column-level privilege checking b) get TABLE_LIST object
with "security_ctx" member set to 0, i.e. forcing check_table_access()
to use active user's security context.
There is no need for creating similar copies of table list elements
for underlying tables since they are just have been constructed and
thus have TABLE_LIST::security_ctx == 0 and fresh TABLE_LIST::grant
member.
Finally at this point making sure we have SHOW_VIEW_ACL on the views
will suffice as we implicitly require SELECT_ACL anyway.
*/
TABLE_LIST
view
;
bzero
((
char
*
)
&
view
,
sizeof
(
TABLE_LIST
));
view
.
db
=
table
->
db
;
view
.
table_name
=
table
->
table_name
;
if
(
check_table_access
(
thd
,
SELECT_ACL
,
view_tables
,
UINT_MAX
,
TRUE
)
||
check_table_access
(
thd
,
SHOW_VIEW_ACL
,
&
view
,
UINT_MAX
,
TRUE
))
{
my_message
(
ER_VIEW_NO_EXPLAIN
,
ER
(
ER_VIEW_NO_EXPLAIN
),
MYF
(
0
));
goto
err
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment