Commit 79d2e6c8 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-5232 SET ROLE checks privileges differently from check_access()

use the same inconsistent priv_user@host pair for SET ROLE privilege checks,
just as check_access() does
parent 00ba6191
create user ''@localhost;
create user c;
grant select on mysql.* to c;
create role r1;
grant r1 to c;
select user(), current_user();
user() current_user()
c@localhost @localhost
select user from mysql.user group by user;
ERROR 42000: SELECT command denied to user ''@'localhost' for table 'user'
set role r1;
ERROR OP000: Invalid role specification `r1`.
drop role r1;
drop user c;
drop user ''@localhost;
#
# MDEV-5232 SET ROLE checks privileges differently from check_access()
#
--source include/not_embedded.inc
create user ''@localhost;
create user c;
grant select on mysql.* to c;
create role r1;
grant r1 to c;
connect (c,localhost,c,,,,,);
select user(), current_user();
--error ER_TABLEACCESS_DENIED_ERROR
select user from mysql.user group by user;
--error ER_INVALID_ROLE
set role r1;
disconnect c;
connection default;
drop role r1;
drop user c;
drop user ''@localhost;
...@@ -1871,7 +1871,9 @@ int acl_check_setrole(THD *thd, char *rolename, ulonglong *access) ...@@ -1871,7 +1871,9 @@ int acl_check_setrole(THD *thd, char *rolename, ulonglong *access)
continue; continue;
acl_user= (ACL_USER *)acl_user_base; acl_user= (ACL_USER *)acl_user_base;
if (acl_user->wild_eq(thd->security_ctx->user, thd->security_ctx->host)) /* Yes! priv_user@host. Don't ask why - that's what check_access() does. */
if (acl_user->wild_eq(thd->security_ctx->priv_user,
thd->security_ctx->host))
{ {
is_granted= TRUE; is_granted= TRUE;
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment