Commit e54a7ac1 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-23010 UPDATE privilege at Database and Table level fail to update with...

MDEV-23010 UPDATE privilege at Database and Table level fail to update with SELECT command denied to user

check both column- and table-level grants when looking for SELECT
privilege on UPDATE statement.
parent 2ba70f69
...@@ -23,3 +23,13 @@ ERROR HY000: Table 'user' was not locked with LOCK TABLES ...@@ -23,3 +23,13 @@ ERROR HY000: Table 'user' was not locked with LOCK TABLES
REVOKE PROCESS ON *.* FROM u; REVOKE PROCESS ON *.* FROM u;
ERROR HY000: Table 'user' was not locked with LOCK TABLES ERROR HY000: Table 'user' was not locked with LOCK TABLES
DROP TABLE t1; DROP TABLE t1;
create database mysqltest1;
use mysqltest1;
create table t1(id int);
insert t1 values(2);
create user u1@localhost;
grant select on mysqltest1.t1 to u1@localhost;
grant update on mysqltest1.* to u1@localhost;
update mysqltest1.t1 set id=1 where id=2;
drop user u1@localhost;
drop database mysqltest1;
...@@ -20,6 +20,7 @@ show grants for foo; # role ...@@ -20,6 +20,7 @@ show grants for foo; # role
--error ER_DBACCESS_DENIED_ERROR --error ER_DBACCESS_DENIED_ERROR
show grants for foo@'%'; # user show grants for foo@'%'; # user
--connection default --connection default
--disconnect conn_1
drop user test, foo; drop user test, foo;
drop role foo; drop role foo;
...@@ -33,3 +34,24 @@ REVOKE EXECUTE ON PROCEDURE sp FROM u; ...@@ -33,3 +34,24 @@ REVOKE EXECUTE ON PROCEDURE sp FROM u;
--error ER_TABLE_NOT_LOCKED --error ER_TABLE_NOT_LOCKED
REVOKE PROCESS ON *.* FROM u; REVOKE PROCESS ON *.* FROM u;
DROP TABLE t1; DROP TABLE t1;
#
# MDEV-23010 UPDATE privilege at Database and Table level fail to update with SELECT command denied to user
#
create database mysqltest1;
use mysqltest1;
create table t1(id int);
insert t1 values(2);
create user u1@localhost;
grant select on mysqltest1.t1 to u1@localhost;
grant update on mysqltest1.* to u1@localhost;
connect u1, localhost, u1;
update mysqltest1.t1 set id=1 where id=2;
connection default;
disconnect u1;
drop user u1@localhost;
drop database mysqltest1;
#
# End of 10.1 tests
#
...@@ -7134,11 +7134,15 @@ static void check_grant_column_int(GRANT_TABLE *grant_table, const char *name, ...@@ -7134,11 +7134,15 @@ static void check_grant_column_int(GRANT_TABLE *grant_table, const char *name,
uint length, ulong *want_access) uint length, ulong *want_access)
{ {
if (grant_table) if (grant_table)
{
*want_access&= ~grant_table->privs;
if (*want_access & grant_table->cols)
{ {
GRANT_COLUMN *grant_column= column_hash_search(grant_table, name, length); GRANT_COLUMN *grant_column= column_hash_search(grant_table, name, length);
if (grant_column) if (grant_column)
*want_access&= ~grant_column->rights; *want_access&= ~grant_column->rights;
} }
}
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment