2005-04-05 02:08:12 +02:00
|
|
|
# Can't test with embedded server
|
|
|
|
|
-- source include/not_embedded.inc
|
2005-04-04 21:43:58 +02:00
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
# Save the initial number of concurrent sessions
|
|
|
|
|
--source include/count_sessions.inc
|
|
|
|
|
|
2005-11-24 05:17:38 +01:00
|
|
|
--disable_warnings
|
|
|
|
|
drop database if exists mysqltest;
|
This changeset is largely a handler cleanup changeset (WL#3281), but includes fixes and cleanups that was found necessary while testing the handler changes
Changes that requires code changes in other code of other storage engines.
(Note that all changes are very straightforward and one should find all issues
by compiling a --debug build and fixing all compiler errors and all
asserts in field.cc while running the test suite),
- New optional handler function introduced: reset()
This is called after every DML statement to make it easy for a handler to
statement specific cleanups.
(The only case it's not called is if force the file to be closed)
- handler::extra(HA_EXTRA_RESET) is removed. Code that was there before
should be moved to handler::reset()
- table->read_set contains a bitmap over all columns that are needed
in the query. read_row() and similar functions only needs to read these
columns
- table->write_set contains a bitmap over all columns that will be updated
in the query. write_row() and update_row() only needs to update these
columns.
The above bitmaps should now be up to date in all context
(including ALTER TABLE, filesort()).
The handler is informed of any changes to the bitmap after
fix_fields() by calling the virtual function
handler::column_bitmaps_signal(). If the handler does caching of
these bitmaps (instead of using table->read_set, table->write_set),
it should redo the caching in this code. as the signal() may be sent
several times, it's probably best to set a variable in the signal
and redo the caching on read_row() / write_row() if the variable was
set.
- Removed the read_set and write_set bitmap objects from the handler class
- Removed all column bit handling functions from the handler class.
(Now one instead uses the normal bitmap functions in my_bitmap.c instead
of handler dedicated bitmap functions)
- field->query_id is removed. One should instead instead check
table->read_set and table->write_set if a field is used in the query.
- handler::extra(HA_EXTRA_RETRIVE_ALL_COLS) and
handler::extra(HA_EXTRA_RETRIEVE_PRIMARY_KEY) are removed. One should now
instead use table->read_set to check for which columns to retrieve.
- If a handler needs to call Field->val() or Field->store() on columns
that are not used in the query, one should install a temporary
all-columns-used map while doing so. For this, we provide the following
functions:
my_bitmap_map *old_map= dbug_tmp_use_all_columns(table, table->read_set);
field->val();
dbug_tmp_restore_column_map(table->read_set, old_map);
and similar for the write map:
my_bitmap_map *old_map= dbug_tmp_use_all_columns(table, table->write_set);
field->val();
dbug_tmp_restore_column_map(table->write_set, old_map);
If this is not done, you will sooner or later hit a DBUG_ASSERT
in the field store() / val() functions.
(For not DBUG binaries, the dbug_tmp_restore_column_map() and
dbug_tmp_restore_column_map() are inline dummy functions and should
be optimized away be the compiler).
- If one needs to temporary set the column map for all binaries (and not
just to avoid the DBUG_ASSERT() in the Field::store() / Field::val()
methods) one should use the functions tmp_use_all_columns() and
tmp_restore_column_map() instead of the above dbug_ variants.
- All 'status' fields in the handler base class (like records,
data_file_length etc) are now stored in a 'stats' struct. This makes
it easier to know what status variables are provided by the base
handler. This requires some trivial variable names in the extra()
function.
- New virtual function handler::records(). This is called to optimize
COUNT(*) if (handler::table_flags() & HA_HAS_RECORDS()) is true.
(stats.records is not supposed to be an exact value. It's only has to
be 'reasonable enough' for the optimizer to be able to choose a good
optimization path).
- Non virtual handler::init() function added for caching of virtual
constants from engine.
- Removed has_transactions() virtual method. Now one should instead return
HA_NO_TRANSACTIONS in table_flags() if the table handler DOES NOT support
transactions.
- The 'xxxx_create_handler()' function now has a MEM_ROOT_root argument
that is to be used with 'new handler_name()' to allocate the handler
in the right area. The xxxx_create_handler() function is also
responsible for any initialization of the object before returning.
For example, one should change:
static handler *myisam_create_handler(TABLE_SHARE *table)
{
return new ha_myisam(table);
}
->
static handler *myisam_create_handler(TABLE_SHARE *table, MEM_ROOT *mem_root)
{
return new (mem_root) ha_myisam(table);
}
- New optional virtual function: use_hidden_primary_key().
This is called in case of an update/delete when
(table_flags() and HA_PRIMARY_KEY_REQUIRED_FOR_DELETE) is defined
but we don't have a primary key. This allows the handler to take precisions
in remembering any hidden primary key to able to update/delete any
found row. The default handler marks all columns to be read.
- handler::table_flags() now returns a ulonglong (to allow for more flags).
- New/changed table_flags()
- HA_HAS_RECORDS Set if ::records() is supported
- HA_NO_TRANSACTIONS Set if engine doesn't support transactions
- HA_PRIMARY_KEY_REQUIRED_FOR_DELETE
Set if we should mark all primary key columns for
read when reading rows as part of a DELETE
statement. If there is no primary key,
all columns are marked for read.
- HA_PARTIAL_COLUMN_READ Set if engine will not read all columns in some
cases (based on table->read_set)
- HA_PRIMARY_KEY_ALLOW_RANDOM_ACCESS
Renamed to HA_PRIMARY_KEY_REQUIRED_FOR_POSITION.
- HA_DUPP_POS Renamed to HA_DUPLICATE_POS
- HA_REQUIRES_KEY_COLUMNS_FOR_DELETE
Set this if we should mark ALL key columns for
read when when reading rows as part of a DELETE
statement. In case of an update we will mark
all keys for read for which key part changed
value.
- HA_STATS_RECORDS_IS_EXACT
Set this if stats.records is exact.
(This saves us some extra records() calls
when optimizing COUNT(*))
- Removed table_flags()
- HA_NOT_EXACT_COUNT Now one should instead use HA_HAS_RECORDS if
handler::records() gives an exact count() and
HA_STATS_RECORDS_IS_EXACT if stats.records is exact.
- HA_READ_RND_SAME Removed (no one supported this one)
- Removed not needed functions ha_retrieve_all_cols() and ha_retrieve_all_pk()
- Renamed handler::dupp_pos to handler::dup_pos
- Removed not used variable handler::sortkey
Upper level handler changes:
- ha_reset() now does some overall checks and calls ::reset()
- ha_table_flags() added. This is a cached version of table_flags(). The
cache is updated on engine creation time and updated on open.
MySQL level changes (not obvious from the above):
- DBUG_ASSERT() added to check that column usage matches what is set
in the column usage bit maps. (This found a LOT of bugs in current
column marking code).
- In 5.1 before, all used columns was marked in read_set and only updated
columns was marked in write_set. Now we only mark columns for which we
need a value in read_set.
- Column bitmaps are created in open_binary_frm() and open_table_from_share().
(Before this was in table.cc)
- handler::table_flags() calls are replaced with handler::ha_table_flags()
- For calling field->val() you must have the corresponding bit set in
table->read_set. For calling field->store() you must have the
corresponding bit set in table->write_set. (There are asserts in
all store()/val() functions to catch wrong usage)
- thd->set_query_id is renamed to thd->mark_used_columns and instead
of setting this to an integer value, this has now the values:
MARK_COLUMNS_NONE, MARK_COLUMNS_READ, MARK_COLUMNS_WRITE
Changed also all variables named 'set_query_id' to mark_used_columns.
- In filesort() we now inform the handler of exactly which columns are needed
doing the sort and choosing the rows.
- The TABLE_SHARE object has a 'all_set' column bitmap one can use
when one needs a column bitmap with all columns set.
(This is used for table->use_all_columns() and other places)
- The TABLE object has 3 column bitmaps:
- def_read_set Default bitmap for columns to be read
- def_write_set Default bitmap for columns to be written
- tmp_set Can be used as a temporary bitmap when needed.
The table object has also two pointer to bitmaps read_set and write_set
that the handler should use to find out which columns are used in which way.
- count() optimization now calls handler::records() instead of using
handler->stats.records (if (table_flags() & HA_HAS_RECORDS) is true).
- Added extra argument to Item::walk() to indicate if we should also
traverse sub queries.
- Added TABLE parameter to cp_buffer_from_ref()
- Don't close tables created with CREATE ... SELECT but keep them in
the table cache. (Faster usage of newly created tables).
New interfaces:
- table->clear_column_bitmaps() to initialize the bitmaps for tables
at start of new statements.
- table->column_bitmaps_set() to set up new column bitmaps and signal
the handler about this.
- table->column_bitmaps_set_no_signal() for some few cases where we need
to setup new column bitmaps but don't signal the handler (as the handler
has already been signaled about these before). Used for the momement
only in opt_range.cc when doing ROR scans.
- table->use_all_columns() to install a bitmap where all columns are marked
as use in the read and the write set.
- table->default_column_bitmaps() to install the normal read and write
column bitmaps, but not signaling the handler about this.
This is mainly used when creating TABLE instances.
- table->mark_columns_needed_for_delete(),
table->mark_columns_needed_for_delete() and
table->mark_columns_needed_for_insert() to allow us to put additional
columns in column usage maps if handler so requires.
(The handler indicates what it neads in handler->table_flags())
- table->prepare_for_position() to allow us to tell handler that it
needs to read primary key parts to be able to store them in
future table->position() calls.
(This replaces the table->file->ha_retrieve_all_pk function)
- table->mark_auto_increment_column() to tell handler are going to update
columns part of any auto_increment key.
- table->mark_columns_used_by_index() to mark all columns that is part of
an index. It will also send extra(HA_EXTRA_KEYREAD) to handler to allow
it to quickly know that it only needs to read colums that are part
of the key. (The handler can also use the column map for detecting this,
but simpler/faster handler can just monitor the extra() call).
- table->mark_columns_used_by_index_no_reset() to in addition to other columns,
also mark all columns that is used by the given key.
- table->restore_column_maps_after_mark_index() to restore to default
column maps after a call to table->mark_columns_used_by_index().
- New item function register_field_in_read_map(), for marking used columns
in table->read_map. Used by filesort() to mark all used columns
- Maintain in TABLE->merge_keys set of all keys that are used in query.
(Simplices some optimization loops)
- Maintain Field->part_of_key_not_clustered which is like Field->part_of_key
but the field in the clustered key is not assumed to be part of all index.
(used in opt_range.cc for faster loops)
- dbug_tmp_use_all_columns(), dbug_tmp_restore_column_map()
tmp_use_all_columns() and tmp_restore_column_map() functions to temporally
mark all columns as usable. The 'dbug_' version is primarily intended
inside a handler when it wants to just call Field:store() & Field::val()
functions, but don't need the column maps set for any other usage.
(ie:: bitmap_is_set() is never called)
- We can't use compare_records() to skip updates for handlers that returns
a partial column set and the read_set doesn't cover all columns in the
write set. The reason for this is that if we have a column marked only for
write we can't in the MySQL level know if the value changed or not.
The reason this worked before was that MySQL marked all to be written
columns as also to be read. The new 'optimal' bitmaps exposed this 'hidden
bug'.
- open_table_from_share() does not anymore setup temporary MEM_ROOT
object as a thread specific variable for the handler. Instead we
send the to-be-used MEMROOT to get_new_handler().
(Simpler, faster code)
Bugs fixed:
- Column marking was not done correctly in a lot of cases.
(ALTER TABLE, when using triggers, auto_increment fields etc)
(Could potentially result in wrong values inserted in table handlers
relying on that the old column maps or field->set_query_id was correct)
Especially when it comes to triggers, there may be cases where the
old code would cause lost/wrong values for NDB and/or InnoDB tables.
- Split thd->options flag OPTION_STATUS_NO_TRANS_UPDATE to two flags:
OPTION_STATUS_NO_TRANS_UPDATE and OPTION_KEEP_LOG.
This allowed me to remove some wrong warnings about:
"Some non-transactional changed tables couldn't be rolled back"
- Fixed handling of INSERT .. SELECT and CREATE ... SELECT that wrongly reset
(thd->options & OPTION_STATUS_NO_TRANS_UPDATE) which caused us to loose
some warnings about
"Some non-transactional changed tables couldn't be rolled back")
- Fixed use of uninitialized memory in ha_ndbcluster.cc::delete_table()
which could cause delete_table to report random failures.
- Fixed core dumps for some tests when running with --debug
- Added missing FN_LIBCHAR in mysql_rm_tmp_tables()
(This has probably caused us to not properly remove temporary files after
crash)
- slow_logs was not properly initialized, which could maybe cause
extra/lost entries in slow log.
- If we get an duplicate row on insert, change column map to read and
write all columns while retrying the operation. This is required by
the definition of REPLACE and also ensures that fields that are only
part of UPDATE are properly handled. This fixed a bug in NDB and
REPLACE where REPLACE wrongly copied some column values from the replaced
row.
- For table handler that doesn't support NULL in keys, we would give an error
when creating a primary key with NULL fields, even after the fields has been
automaticly converted to NOT NULL.
- Creating a primary key on a SPATIAL key, would fail if field was not
declared as NOT NULL.
Cleanups:
- Removed not used condition argument to setup_tables
- Removed not needed item function reset_query_id_processor().
- Field->add_index is removed. Now this is instead maintained in
(field->flags & FIELD_IN_ADD_INDEX)
- Field->fieldnr is removed (use field->field_index instead)
- New argument to filesort() to indicate that it should return a set of
row pointers (not used columns). This allowed me to remove some references
to sql_command in filesort and should also enable us to return column
results in some cases where we couldn't before.
- Changed column bitmap handling in opt_range.cc to be aligned with TABLE
bitmap, which allowed me to use bitmap functions instead of looping over
all fields to create some needed bitmaps. (Faster and smaller code)
- Broke up found too long lines
- Moved some variable declaration at start of function for better code
readability.
- Removed some not used arguments from functions.
(setup_fields(), mysql_prepare_insert_check_table())
- setup_fields() now takes an enum instead of an int for marking columns
usage.
- For internal temporary tables, use handler::write_row(),
handler::delete_row() and handler::update_row() instead of
handler::ha_xxxx() for faster execution.
- Changed some constants to enum's and define's.
- Using separate column read and write sets allows for easier checking
of timestamp field was set by statement.
- Remove calls to free_io_cache() as this is now done automaticly in ha_reset()
- Don't build table->normalized_path as this is now identical to table->path
(after bar's fixes to convert filenames)
- Fixed some missed DBUG_PRINT(.."%lx") to use "0x%lx" to make it easier to
do comparision with the 'convert-dbug-for-diff' tool.
Things left to do in 5.1:
- We wrongly log failed CREATE TABLE ... SELECT in some cases when using
row based logging (as shown by testcase binlog_row_mix_innodb_myisam.result)
Mats has promised to look into this.
- Test that my fix for CREATE TABLE ... SELECT is indeed correct.
(I added several test cases for this, but in this case it's better that
someone else also tests this throughly).
Lars has promosed to do this.
2006-06-04 17:52:22 +02:00
|
|
|
drop view if exists v1,v2,v3;
|
2005-11-24 05:17:38 +01:00
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
|
2005-04-04 21:43:58 +02:00
|
|
|
# simple test of grants
|
|
|
|
|
grant create view on test.* to test@localhost;
|
|
|
|
|
show grants for test@localhost;
|
|
|
|
|
revoke create view on test.* from test@localhost;
|
|
|
|
|
show grants for test@localhost;
|
2006-01-26 17:54:34 +01:00
|
|
|
# The grant above creates a new user test@localhost, delete it
|
|
|
|
|
drop user test@localhost;
|
2005-04-04 21:43:58 +02:00
|
|
|
|
|
|
|
|
# grant create view test
|
|
|
|
|
#
|
|
|
|
|
connect (root,localhost,root,,test);
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int);
|
|
|
|
|
create table mysqltest.t2 (a int, b int);
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest.t1 to mysqltest_1@localhost;
|
|
|
|
|
grant create view,select on test.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connect (user1,localhost,mysqltest_1,,test);
|
|
|
|
|
connection user1;
|
|
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
2005-09-14 09:53:09 +02:00
|
|
|
create definer=root@localhost view v1 as select * from mysqltest.t1;
|
2005-04-04 21:43:58 +02:00
|
|
|
create view v1 as select * from mysqltest.t1;
|
|
|
|
|
# try to modify view without DROP privilege on it
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
alter view v1 as select * from mysqltest.t1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
create or replace view v1 as select * from mysqltest.t1;
|
|
|
|
|
# no CRETE VIEW privilege
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
create view mysqltest.v2 as select * from mysqltest.t1;
|
|
|
|
|
# no SELECT privilege
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
create view v2 as select * from mysqltest.t2;
|
|
|
|
|
|
|
|
|
|
connection root;
|
2005-09-14 09:53:09 +02:00
|
|
|
# check view definer information
|
|
|
|
|
show create view v1;
|
|
|
|
|
|
2005-04-04 21:43:58 +02:00
|
|
|
grant create view,drop,select on test.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
2009-03-03 21:34:18 +01:00
|
|
|
# following 'use' command is workaround of Bug#9582 and should be removed
|
2005-04-04 21:43:58 +02:00
|
|
|
# when that bug will be fixed
|
|
|
|
|
use test;
|
|
|
|
|
alter view v1 as select * from mysqltest.t1;
|
|
|
|
|
create or replace view v1 as select * from mysqltest.t1;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
revoke all privileges on mysqltest.t1 from mysqltest_1@localhost;
|
|
|
|
|
revoke all privileges on test.* from mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
drop view test.v1;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# grants per columns
|
|
|
|
|
#
|
|
|
|
|
# MERGE algorithm
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int);
|
|
|
|
|
create view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1;
|
|
|
|
|
grant select (c) on mysqltest.v1 to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
select c from mysqltest.v1;
|
|
|
|
|
# there are no privileges on column 'd'
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
select d from mysqltest.v1;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
revoke all privileges on mysqltest.v1 from mysqltest_1@localhost;
|
|
|
|
|
delete from mysql.user where user='mysqltest_1';
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
# TEMPORARY TABLE algorithm
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int);
|
|
|
|
|
create algorithm=temptable view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1;
|
|
|
|
|
grant select (c) on mysqltest.v1 to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
select c from mysqltest.v1;
|
|
|
|
|
# there are no privileges on column 'd'
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
select d from mysqltest.v1;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
revoke all privileges on mysqltest.v1 from mysqltest_1@localhost;
|
|
|
|
|
delete from mysql.user where user='mysqltest_1';
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# EXPLAIN rights
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
2009-03-03 21:34:18 +01:00
|
|
|
# prepare views and tables
|
2005-04-04 21:43:58 +02:00
|
|
|
create table mysqltest.t1 (a int, b int);
|
|
|
|
|
create table mysqltest.t2 (a int, b int);
|
|
|
|
|
create view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1;
|
|
|
|
|
create algorithm=temptable view mysqltest.v2 (c,d) as select a+1,b+1 from mysqltest.t1;
|
|
|
|
|
create view mysqltest.v3 (c,d) as select a+1,b+1 from mysqltest.t2;
|
|
|
|
|
create algorithm=temptable view mysqltest.v4 (c,d) as select a+1,b+1 from mysqltest.t2;
|
2011-09-29 11:47:11 +02:00
|
|
|
# v5: SHOW VIEW, but no SELECT
|
|
|
|
|
create view mysqltest.v5 (c,d) as select a+1,b+1 from mysqltest.t1;
|
2005-04-04 21:43:58 +02:00
|
|
|
grant select on mysqltest.v1 to mysqltest_1@localhost;
|
|
|
|
|
grant select on mysqltest.v2 to mysqltest_1@localhost;
|
|
|
|
|
grant select on mysqltest.v3 to mysqltest_1@localhost;
|
|
|
|
|
grant select on mysqltest.v4 to mysqltest_1@localhost;
|
2011-09-29 11:47:11 +02:00
|
|
|
grant show view on mysqltest.v5 to mysqltest_1@localhost;
|
2005-04-04 21:43:58 +02:00
|
|
|
|
|
|
|
|
connection user1;
|
2011-09-29 11:47:11 +02:00
|
|
|
# all SELECTs works, except v5 which lacks SELECT privs
|
2005-04-04 21:43:58 +02:00
|
|
|
select c from mysqltest.v1;
|
|
|
|
|
select c from mysqltest.v2;
|
|
|
|
|
select c from mysqltest.v3;
|
|
|
|
|
select c from mysqltest.v4;
|
2011-09-29 11:47:11 +02:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
select c from mysqltest.v5;
|
2005-04-04 21:43:58 +02:00
|
|
|
# test of show coluns
|
|
|
|
|
show columns from mysqltest.v1;
|
|
|
|
|
show columns from mysqltest.v2;
|
2011-09-29 11:47:11 +02:00
|
|
|
# explain/show fail
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
show create view mysqltest.v1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v2;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
show create view mysqltest.v2;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v3;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
show create view mysqltest.v3;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v4;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
show create view mysqltest.v4;
|
2011-09-29 11:47:11 +02:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select c from mysqltest.v5;
|
|
|
|
|
show create view mysqltest.v5;
|
2005-04-04 21:43:58 +02:00
|
|
|
|
2011-09-29 11:47:11 +02:00
|
|
|
# missing SELECT on underlying t1, no SHOW VIEW on v1 either.
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select c from mysqltest.v1;
|
|
|
|
|
# missing SHOW VIEW
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
show create view mysqltest.v1;
|
2005-04-04 21:43:58 +02:00
|
|
|
# allow to see one of underlying table
|
|
|
|
|
connection root;
|
2011-09-29 11:47:11 +02:00
|
|
|
grant show view on mysqltest.v1 to mysqltest_1@localhost;
|
2005-04-04 21:43:58 +02:00
|
|
|
grant select on mysqltest.t1 to mysqltest_1@localhost;
|
|
|
|
|
connection user1;
|
2011-09-29 11:47:11 +02:00
|
|
|
# EXPLAIN works
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v1;
|
|
|
|
|
show create view mysqltest.v1;
|
2011-09-29 11:47:11 +02:00
|
|
|
# missing SHOW VIEW
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v2;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
show create view mysqltest.v2;
|
|
|
|
|
# but other EXPLAINs do not
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v3;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
show create view mysqltest.v3;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v4;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
show create view mysqltest.v4;
|
2011-09-29 11:47:11 +02:00
|
|
|
# we have SHOW VIEW on v5, and SELECT on t1 -- not enough
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select c from mysqltest.v5;
|
|
|
|
|
# we can SHOW CREATE VIEW though
|
|
|
|
|
show create view mysqltest.v5;
|
2005-04-04 21:43:58 +02:00
|
|
|
|
|
|
|
|
# allow to see any view in mysqltest database
|
|
|
|
|
connection root;
|
|
|
|
|
grant show view on mysqltest.* to mysqltest_1@localhost;
|
|
|
|
|
connection user1;
|
|
|
|
|
explain select c from mysqltest.v1;
|
|
|
|
|
show create view mysqltest.v1;
|
|
|
|
|
explain select c from mysqltest.v2;
|
|
|
|
|
show create view mysqltest.v2;
|
2011-09-29 11:47:11 +02:00
|
|
|
# have SHOW VIEW | SELECT on v3, but no SELECT on t2
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v3;
|
|
|
|
|
show create view mysqltest.v3;
|
2011-09-29 11:47:11 +02:00
|
|
|
# have SHOW VIEW | SELECT on v4, but no SELECT on t2
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
2005-04-04 21:43:58 +02:00
|
|
|
explain select c from mysqltest.v4;
|
|
|
|
|
show create view mysqltest.v4;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
revoke all privileges on mysqltest.* from mysqltest_1@localhost;
|
|
|
|
|
delete from mysql.user where user='mysqltest_1';
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# UPDATE privileges on VIEW columns and whole VIEW
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int, primary key(a));
|
|
|
|
|
insert into mysqltest.t1 values (10,2), (20,3), (30,4), (40,5), (50,10);
|
|
|
|
|
create table mysqltest.t2 (x int);
|
|
|
|
|
insert into mysqltest.t2 values (3), (4), (5), (6);
|
|
|
|
|
create view mysqltest.v1 (a,c) as select a, b+1 from mysqltest.t1;
|
|
|
|
|
create view mysqltest.v2 (a,c) as select a, b from mysqltest.t1;
|
|
|
|
|
create view mysqltest.v3 (a,c) as select a, b+1 from mysqltest.t1;
|
|
|
|
|
|
|
|
|
|
grant update (a) on mysqltest.v2 to mysqltest_1@localhost;
|
|
|
|
|
grant update on mysqltest.v1 to mysqltest_1@localhost;
|
|
|
|
|
grant select on mysqltest.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
# update with rights on VIEW column
|
|
|
|
|
update t2,v1 set v1.a=v1.a+v1.c where t2.x=v1.c;
|
|
|
|
|
select * from t1;
|
|
|
|
|
update v1 set a=a+c;
|
|
|
|
|
select * from t1;
|
|
|
|
|
# update with rights on whole VIEW
|
|
|
|
|
update t2,v2 set v2.a=v2.a+v2.c where t2.x=v2.c;
|
|
|
|
|
select * from t1;
|
|
|
|
|
update v2 set a=a+c;
|
|
|
|
|
select * from t1;
|
|
|
|
|
# no rights on column
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
update t2,v2 set v2.c=v2.a+v2.c where t2.x=v2.c;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
update v2 set c=a+c;
|
|
|
|
|
# no rights for view
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
update t2,v3 set v3.a=v3.a+v3.c where t2.x=v3.c;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
update v3 set a=a+c;
|
|
|
|
|
|
|
|
|
|
use test;
|
|
|
|
|
connection root;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# DELETE privileges on VIEW
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int, primary key(a));
|
|
|
|
|
insert into mysqltest.t1 values (1,2), (2,3), (3,4), (4,5), (5,10);
|
|
|
|
|
create table mysqltest.t2 (x int);
|
|
|
|
|
insert into mysqltest.t2 values (3), (4), (5), (6);
|
|
|
|
|
create view mysqltest.v1 (a,c) as select a, b+1 from mysqltest.t1;
|
|
|
|
|
create view mysqltest.v2 (a,c) as select a, b+1 from mysqltest.t1;
|
|
|
|
|
|
|
|
|
|
grant delete on mysqltest.v1 to mysqltest_1@localhost;
|
|
|
|
|
grant select on mysqltest.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
# update with rights on VIEW column
|
|
|
|
|
delete from v1 where c < 4;
|
|
|
|
|
select * from t1;
|
|
|
|
|
delete v1 from t2,v1 where t2.x=v1.c;
|
|
|
|
|
select * from t1;
|
|
|
|
|
# no rights for view
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
delete v2 from t2,v2 where t2.x=v2.c;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
delete from v2 where c < 4;
|
|
|
|
|
|
|
|
|
|
use test;
|
|
|
|
|
connection root;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# insert privileges on VIEW
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int, primary key(a));
|
|
|
|
|
insert into mysqltest.t1 values (1,2), (2,3);
|
|
|
|
|
create table mysqltest.t2 (x int, y int);
|
|
|
|
|
insert into mysqltest.t2 values (3,4);
|
|
|
|
|
create view mysqltest.v1 (a,c) as select a, b from mysqltest.t1;
|
|
|
|
|
create view mysqltest.v2 (a,c) as select a, b from mysqltest.t1;
|
|
|
|
|
|
|
|
|
|
grant insert on mysqltest.v1 to mysqltest_1@localhost;
|
|
|
|
|
grant select on mysqltest.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
# update with rights on VIEW column
|
|
|
|
|
insert into v1 values (5,6);
|
|
|
|
|
select * from t1;
|
|
|
|
|
insert into v1 select x,y from t2;
|
|
|
|
|
select * from t1;
|
|
|
|
|
# no rights for view
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
insert into v2 values (5,6);
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
insert into v2 select x,y from t2;
|
|
|
|
|
|
|
|
|
|
use test;
|
|
|
|
|
connection root;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# test of CREATE VIEW privileges if we have limited privileges
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int);
|
|
|
|
|
create table mysqltest.t2 (a int, b int);
|
|
|
|
|
|
|
|
|
|
grant update on mysqltest.t1 to mysqltest_1@localhost;
|
|
|
|
|
grant update(b) on mysqltest.t2 to mysqltest_1@localhost;
|
|
|
|
|
grant create view,update on test.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
|
|
|
|
|
create view v1 as select * from mysqltest.t1;
|
|
|
|
|
create view v2 as select b from mysqltest.t2;
|
|
|
|
|
# There are not rights on mysqltest.v1
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
create view mysqltest.v1 as select * from mysqltest.t1;
|
|
|
|
|
# There are not any rights on mysqltest.t2.a
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
create view v3 as select a from mysqltest.t2;
|
|
|
|
|
|
|
|
|
|
# give CREATE VIEW privileges (without any privileges for result column)
|
|
|
|
|
connection root;
|
|
|
|
|
create table mysqltest.v3 (b int);
|
|
|
|
|
grant create view on mysqltest.v3 to mysqltest_1@localhost;
|
|
|
|
|
drop table mysqltest.v3;
|
|
|
|
|
connection user1;
|
|
|
|
|
create view mysqltest.v3 as select b from mysqltest.t2;
|
|
|
|
|
|
|
|
|
|
# give UPDATE privileges
|
|
|
|
|
connection root;
|
|
|
|
|
grant create view, update on mysqltest.v3 to mysqltest_1@localhost;
|
|
|
|
|
drop view mysqltest.v3;
|
|
|
|
|
connection user1;
|
|
|
|
|
create view mysqltest.v3 as select b from mysqltest.t2;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Expression need select privileges
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
create view v4 as select b+1 from mysqltest.t2;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
grant create view,update,select on test.* to mysqltest_1@localhost;
|
|
|
|
|
connection user1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2005-04-04 21:43:58 +02:00
|
|
|
create view v4 as select b+1 from mysqltest.t2;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
grant update,select(b) on mysqltest.t2 to mysqltest_1@localhost;
|
|
|
|
|
connection user1;
|
|
|
|
|
create view v4 as select b+1 from mysqltest.t2;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
drop view v1,v2,v4;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# user with global DB privileges
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
create table mysqltest.t1 (a int);
|
|
|
|
|
grant all privileges on mysqltest.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
create view v1 as select * from t1;
|
2005-10-27 23:18:23 +02:00
|
|
|
use test;
|
2005-04-04 21:43:58 +02:00
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
revoke all privileges on mysqltest.* from mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
2005-10-27 23:18:23 +02:00
|
|
|
#
|
|
|
|
|
# view definer grants revoking
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
create table mysqltest.t1 (a int, b int);
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest.t1 to mysqltest_1@localhost;
|
|
|
|
|
grant create view,select on test.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
|
|
|
|
|
create view v1 as select * from mysqltest.t1;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
# check view definer information
|
|
|
|
|
show create view v1;
|
|
|
|
|
revoke select on mysqltest.t1 from mysqltest_1@localhost;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v1;
|
|
|
|
|
grant select on mysqltest.t1 to mysqltest_1@localhost;
|
|
|
|
|
select * from v1;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop view v1;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# rights on execution of view underlying functiond (Bug#9505)
|
2005-10-27 23:18:23 +02:00
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
use mysqltest;
|
|
|
|
|
create table t1 (a int);
|
|
|
|
|
insert into t1 values (1);
|
|
|
|
|
create table t2 (s1 int);
|
|
|
|
|
--disable_warnings
|
|
|
|
|
drop function if exists f2;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
delimiter //;
|
|
|
|
|
create function f2 () returns int begin declare v int; select s1 from t2
|
|
|
|
|
into v; return v; end//
|
|
|
|
|
delimiter ;//
|
|
|
|
|
create algorithm=TEMPTABLE view v1 as select f2() from t1;
|
|
|
|
|
create algorithm=MERGE view v2 as select f2() from t1;
|
|
|
|
|
create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select f2() from t1;
|
|
|
|
|
create algorithm=MERGE SQL SECURITY INVOKER view v4 as select f2() from t1;
|
|
|
|
|
create SQL SECURITY INVOKER view v5 as select * from v4;
|
|
|
|
|
grant select on v1 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v2 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v3 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v4 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v5 to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
select * from v1;
|
|
|
|
|
select * from v2;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v3;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v4;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v5;
|
|
|
|
|
use test;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
drop view v1, v2, v3, v4, v5;
|
|
|
|
|
drop function f2;
|
|
|
|
|
drop table t1, t2;
|
|
|
|
|
use test;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# revertion of previous test, definer of view lost his/her rights to execute
|
|
|
|
|
# function
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
use mysqltest;
|
|
|
|
|
create table t1 (a int);
|
|
|
|
|
insert into t1 values (1);
|
|
|
|
|
create table t2 (s1 int);
|
|
|
|
|
--disable_warnings
|
|
|
|
|
drop function if exists f2;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
delimiter //;
|
|
|
|
|
create function f2 () returns int begin declare v int; select s1 from t2
|
|
|
|
|
into v; return v; end//
|
|
|
|
|
delimiter ;//
|
|
|
|
|
grant select on t1 to mysqltest_1@localhost;
|
|
|
|
|
grant execute on function f2 to mysqltest_1@localhost;
|
|
|
|
|
grant create view on mysqltest.* to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
create algorithm=TEMPTABLE view v1 as select f2() from t1;
|
|
|
|
|
create algorithm=MERGE view v2 as select f2() from t1;
|
|
|
|
|
create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select f2() from t1;
|
|
|
|
|
create algorithm=MERGE SQL SECURITY INVOKER view v4 as select f2() from t1;
|
|
|
|
|
use test;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
create view v5 as select * from v1;
|
|
|
|
|
revoke execute on function f2 from mysqltest_1@localhost;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v2;
|
|
|
|
|
select * from v3;
|
|
|
|
|
select * from v4;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v5;
|
|
|
|
|
|
|
|
|
|
drop view v1, v2, v3, v4, v5;
|
|
|
|
|
drop function f2;
|
|
|
|
|
drop table t1, t2;
|
|
|
|
|
use test;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# definer/invoker rights for columns
|
|
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
use mysqltest;
|
|
|
|
|
create table t1 (a int);
|
|
|
|
|
create table v1 (a int);
|
|
|
|
|
insert into t1 values (1);
|
|
|
|
|
grant select on t1 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v1 to mysqltest_1@localhost;
|
|
|
|
|
grant create view on mysqltest.* to mysqltest_1@localhost;
|
|
|
|
|
drop table v1;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
create algorithm=TEMPTABLE view v1 as select *, a as b from t1;
|
|
|
|
|
create algorithm=MERGE view v2 as select *, a as b from t1;
|
|
|
|
|
create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select *, a as b from t1;
|
|
|
|
|
create algorithm=MERGE SQL SECURITY INVOKER view v4 as select *, a as b from t1;
|
|
|
|
|
create view v5 as select * from v1;
|
|
|
|
|
use test;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
revoke select on t1 from mysqltest_1@localhost;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v2;
|
|
|
|
|
select * from v3;
|
|
|
|
|
select * from v4;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v5;
|
|
|
|
|
|
|
|
|
|
#drop view v1, v2, v3, v4, v5;
|
|
|
|
|
drop table t1;
|
|
|
|
|
use test;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
use mysqltest;
|
|
|
|
|
create table t1 (a int);
|
|
|
|
|
insert into t1 values (1);
|
|
|
|
|
create algorithm=TEMPTABLE view v1 as select *, a as b from t1;
|
|
|
|
|
create algorithm=MERGE view v2 as select *, a as b from t1;
|
|
|
|
|
create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select *, a as b from t1;
|
|
|
|
|
create algorithm=MERGE SQL SECURITY INVOKER view v4 as select *, a as b from t1;
|
|
|
|
|
create SQL SECURITY INVOKER view v5 as select * from v4;
|
|
|
|
|
grant select on v1 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v2 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v3 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v4 to mysqltest_1@localhost;
|
|
|
|
|
grant select on v5 to mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
use mysqltest;
|
|
|
|
|
select * from v1;
|
|
|
|
|
select * from v2;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v3;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v4;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2005-10-27 23:18:23 +02:00
|
|
|
select * from v5;
|
|
|
|
|
use test;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
drop view v1, v2, v3, v4, v5;
|
|
|
|
|
drop table t1;
|
|
|
|
|
use test;
|
|
|
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
2005-10-28 12:11:32 +02:00
|
|
|
|
|
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#14256 definer in view definition is not fully qualified
|
2005-10-28 12:11:32 +02:00
|
|
|
#
|
|
|
|
|
--disable_warnings
|
|
|
|
|
drop view if exists v1;
|
2008-02-21 10:17:32 +01:00
|
|
|
drop table if exists t1;
|
2005-10-28 12:11:32 +02:00
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
# Backup anonymous users and remove them. (They get in the way of
|
|
|
|
|
# the one we test with here otherwise.)
|
|
|
|
|
create table t1 as select * from mysql.user where user='';
|
|
|
|
|
delete from mysql.user where user='';
|
|
|
|
|
flush privileges;
|
|
|
|
|
|
|
|
|
|
# Create the test user
|
|
|
|
|
grant all on test.* to 'test14256'@'%';
|
|
|
|
|
|
|
|
|
|
connect (test14256,localhost,test14256,,test);
|
|
|
|
|
connection test14256;
|
|
|
|
|
use test;
|
|
|
|
|
|
|
|
|
|
create view v1 as select 42;
|
|
|
|
|
show create view v1;
|
|
|
|
|
|
|
|
|
|
select definer into @v1def1 from information_schema.views
|
|
|
|
|
where table_schema = 'test' and table_name='v1';
|
|
|
|
|
drop view v1;
|
|
|
|
|
|
|
|
|
|
create definer=`test14256`@`%` view v1 as select 42;
|
|
|
|
|
show create view v1;
|
|
|
|
|
|
|
|
|
|
select definer into @v1def2 from information_schema.views
|
|
|
|
|
where table_schema = 'test' and table_name='v1';
|
|
|
|
|
drop view v1;
|
|
|
|
|
|
|
|
|
|
select @v1def1, @v1def2, @v1def1=@v1def2;
|
|
|
|
|
|
|
|
|
|
connection root;
|
2009-03-03 21:34:18 +01:00
|
|
|
disconnect test14256;
|
2005-10-28 12:11:32 +02:00
|
|
|
drop user test14256;
|
|
|
|
|
|
|
|
|
|
# Restore the anonymous users.
|
|
|
|
|
insert into mysql.user select * from t1;
|
|
|
|
|
flush privileges;
|
|
|
|
|
|
|
|
|
|
drop table t1;
|
2005-11-21 20:11:02 +01:00
|
|
|
|
|
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#14726 freeing stack variable in case of an error of opening a view when
|
2009-03-05 14:35:03 +01:00
|
|
|
# we have locked tables with LOCK TABLES statement.
|
2005-11-21 20:11:02 +01:00
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
create database mysqltest;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
use mysqltest;
|
|
|
|
|
CREATE TABLE t1 (i INT);
|
|
|
|
|
CREATE VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
|
|
|
|
GRANT SELECT, LOCK TABLES ON mysqltest.* TO mysqltest_1@localhost;
|
|
|
|
|
|
|
|
|
|
connection user1;
|
|
|
|
|
|
|
|
|
|
use mysqltest;
|
|
|
|
|
LOCK TABLES v1 READ;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2005-11-21 20:11:02 +01:00
|
|
|
SHOW CREATE TABLE v1;
|
|
|
|
|
UNLOCK TABLES;
|
|
|
|
|
use test;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
use test;
|
|
|
|
|
drop user mysqltest_1@localhost;
|
|
|
|
|
drop database mysqltest;
|
|
|
|
|
|
|
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# switch to default connection
|
2005-11-21 20:11:02 +01:00
|
|
|
#
|
|
|
|
|
disconnect user1;
|
|
|
|
|
disconnect root;
|
|
|
|
|
connection default;
|
2006-01-19 10:25:12 +01:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# DEFINER information check
|
|
|
|
|
#
|
|
|
|
|
create definer=some_user@`` sql security invoker view v1 as select 1;
|
2006-03-09 19:00:45 +01:00
|
|
|
create definer=some_user@localhost sql security invoker view v2 as select 1;
|
2006-01-19 10:25:12 +01:00
|
|
|
show create view v1;
|
2006-03-09 19:00:45 +01:00
|
|
|
show create view v2;
|
2006-01-19 10:25:12 +01:00
|
|
|
drop view v1;
|
2006-03-09 19:00:45 +01:00
|
|
|
drop view v2;
|
2006-05-26 10:49:39 +02:00
|
|
|
|
2006-05-26 10:47:53 +02:00
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#18681 View privileges are broken
|
2006-05-26 10:47:53 +02:00
|
|
|
#
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
CREATE USER readonly@localhost;
|
|
|
|
|
CREATE TABLE mysqltest1.t1 (x INT);
|
|
|
|
|
INSERT INTO mysqltest1.t1 VALUES (1), (2);
|
|
|
|
|
CREATE SQL SECURITY INVOKER VIEW mysqltest1.v_t1 AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW mysqltest1.v_ts AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW mysqltest1.v_ti AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW mysqltest1.v_tu AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW mysqltest1.v_tus AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW mysqltest1.v_td AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW mysqltest1.v_tds AS SELECT * FROM mysqltest1.t1;
|
2006-11-15 10:23:27 +01:00
|
|
|
GRANT SELECT, INSERT, UPDATE, DELETE ON mysqltest1.v_t1 TO readonly@localhost;
|
|
|
|
|
GRANT SELECT ON mysqltest1.v_ts TO readonly@localhost;
|
|
|
|
|
GRANT INSERT ON mysqltest1.v_ti TO readonly@localhost;
|
|
|
|
|
GRANT UPDATE ON mysqltest1.v_tu TO readonly@localhost;
|
|
|
|
|
GRANT UPDATE,SELECT ON mysqltest1.v_tus TO readonly@localhost;
|
|
|
|
|
GRANT DELETE ON mysqltest1.v_td TO readonly@localhost;
|
|
|
|
|
GRANT DELETE,SELECT ON mysqltest1.v_tds TO readonly@localhost;
|
2006-05-26 10:47:53 +02:00
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
connect (n1,localhost,readonly,,);
|
|
|
|
|
connection n1;
|
2006-05-26 10:47:53 +02:00
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2006-05-26 10:47:53 +02:00
|
|
|
SELECT * FROM mysqltest1.v_t1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2006-05-26 10:47:53 +02:00
|
|
|
INSERT INTO mysqltest1.v_t1 VALUES(4);
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2006-05-26 10:47:53 +02:00
|
|
|
DELETE FROM mysqltest1.v_t1 WHERE x = 1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2006-05-26 10:47:53 +02:00
|
|
|
UPDATE mysqltest1.v_t1 SET x = 3 WHERE x = 2;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2006-05-26 10:47:53 +02:00
|
|
|
UPDATE mysqltest1.v_t1 SET x = 3;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2006-05-26 10:47:53 +02:00
|
|
|
DELETE FROM mysqltest1.v_t1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_VIEW_INVALID
|
2006-05-26 10:47:53 +02:00
|
|
|
SELECT 1 FROM mysqltest1.v_t1;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
SELECT * FROM mysqltest1.t1;
|
|
|
|
|
|
|
|
|
|
SELECT * FROM mysqltest1.v_ts;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
SELECT * FROM mysqltest1.v_ts, mysqltest1.t1 WHERE mysqltest1.t1.x = mysqltest1.v_ts.x;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
SELECT * FROM mysqltest1.v_ti;
|
|
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
INSERT INTO mysqltest1.v_ts VALUES (100);
|
|
|
|
|
INSERT INTO mysqltest1.v_ti VALUES (100);
|
|
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
UPDATE mysqltest1.v_ts SET x= 200 WHERE x = 100;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
UPDATE mysqltest1.v_ts SET x= 200;
|
|
|
|
|
UPDATE mysqltest1.v_tu SET x= 200 WHERE x = 100;
|
|
|
|
|
UPDATE mysqltest1.v_tus SET x= 200 WHERE x = 100;
|
|
|
|
|
UPDATE mysqltest1.v_tu SET x= 200;
|
|
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
DELETE FROM mysqltest1.v_ts WHERE x= 200;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
DELETE FROM mysqltest1.v_ts;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
2006-05-26 10:47:53 +02:00
|
|
|
DELETE FROM mysqltest1.v_td WHERE x= 200;
|
|
|
|
|
DELETE FROM mysqltest1.v_tds WHERE x= 200;
|
|
|
|
|
DELETE FROM mysqltest1.v_td;
|
|
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
connection default;
|
|
|
|
|
disconnect n1;
|
2006-05-26 10:47:53 +02:00
|
|
|
DROP VIEW mysqltest1.v_tds;
|
|
|
|
|
DROP VIEW mysqltest1.v_td;
|
|
|
|
|
DROP VIEW mysqltest1.v_tus;
|
|
|
|
|
DROP VIEW mysqltest1.v_tu;
|
|
|
|
|
DROP VIEW mysqltest1.v_ti;
|
|
|
|
|
DROP VIEW mysqltest1.v_ts;
|
|
|
|
|
DROP VIEW mysqltest1.v_t1;
|
|
|
|
|
DROP TABLE mysqltest1.t1;
|
2006-11-15 10:23:27 +01:00
|
|
|
DROP USER readonly@localhost;
|
2006-05-26 10:47:53 +02:00
|
|
|
DROP DATABASE mysqltest1;
|
2006-05-26 10:57:56 +02:00
|
|
|
|
2006-05-26 10:49:39 +02:00
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#14875 Bad view DEFINER makes SHOW CREATE VIEW fail
|
2006-05-26 10:49:39 +02:00
|
|
|
#
|
|
|
|
|
CREATE TABLE t1 (a INT PRIMARY KEY);
|
|
|
|
|
INSERT INTO t1 VALUES (1), (2), (3);
|
|
|
|
|
CREATE DEFINER = 'no-such-user'@localhost VIEW v AS SELECT a from t1;
|
2009-03-03 21:34:18 +01:00
|
|
|
#--warning ER_VIEW_OTHER_USER
|
2006-05-26 10:49:39 +02:00
|
|
|
SHOW CREATE VIEW v;
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_NO_SUCH_USER
|
2006-05-26 10:49:39 +02:00
|
|
|
SELECT * FROM v;
|
|
|
|
|
DROP VIEW v;
|
|
|
|
|
DROP TABLE t1;
|
|
|
|
|
USE test;
|
2006-06-12 17:15:08 +02:00
|
|
|
|
|
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#20363 Create view on just created view is now denied
|
2006-06-12 17:15:08 +02:00
|
|
|
#
|
|
|
|
|
eval CREATE USER mysqltest_db1@localhost identified by 'PWD';
|
|
|
|
|
eval GRANT ALL ON mysqltest_db1.* TO mysqltest_db1@localhost WITH GRANT OPTION;
|
|
|
|
|
|
|
|
|
|
# The session with the non root user is needed.
|
|
|
|
|
--replace_result $MASTER_MYPORT MYSQL_PORT $MASTER_MYSOCK MYSQL_SOCK
|
|
|
|
|
connect (session1,localhost,mysqltest_db1,PWD,test);
|
|
|
|
|
|
|
|
|
|
CREATE SCHEMA mysqltest_db1 ;
|
|
|
|
|
USE mysqltest_db1 ;
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1 (f1 INTEGER);
|
|
|
|
|
|
|
|
|
|
CREATE VIEW view1 AS
|
|
|
|
|
SELECT * FROM t1;
|
|
|
|
|
SHOW CREATE VIEW view1;
|
|
|
|
|
|
|
|
|
|
CREATE VIEW view2 AS
|
|
|
|
|
SELECT * FROM view1;
|
|
|
|
|
--echo # Here comes a suspicious warning
|
|
|
|
|
SHOW CREATE VIEW view2;
|
|
|
|
|
--echo # But the view view2 is usable
|
|
|
|
|
SELECT * FROM view2;
|
|
|
|
|
|
|
|
|
|
CREATE VIEW view3 AS
|
|
|
|
|
SELECT * FROM view2;
|
|
|
|
|
|
|
|
|
|
SELECT * from view3;
|
|
|
|
|
|
|
|
|
|
connection default;
|
2009-03-03 21:34:18 +01:00
|
|
|
disconnect session1;
|
2006-06-12 17:15:08 +02:00
|
|
|
DROP VIEW mysqltest_db1.view3;
|
|
|
|
|
DROP VIEW mysqltest_db1.view2;
|
|
|
|
|
DROP VIEW mysqltest_db1.view1;
|
|
|
|
|
DROP TABLE mysqltest_db1.t1;
|
|
|
|
|
DROP SCHEMA mysqltest_db1;
|
|
|
|
|
DROP USER mysqltest_db1@localhost;
|
2006-06-21 11:12:46 +02:00
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#20482 failure on Create join view with sources views/tables
|
2009-03-05 14:35:03 +01:00
|
|
|
# in different schemas
|
2006-06-21 11:12:46 +02:00
|
|
|
#
|
|
|
|
|
--disable_warnings
|
|
|
|
|
CREATE DATABASE test1;
|
|
|
|
|
CREATE DATABASE test2;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
CREATE TABLE test1.t0 (a VARCHAR(20));
|
|
|
|
|
CREATE TABLE test2.t1 (a VARCHAR(20));
|
|
|
|
|
CREATE VIEW test2.t3 AS SELECT * FROM test1.t0;
|
2009-03-03 21:34:18 +01:00
|
|
|
CREATE OR REPLACE VIEW test.v1 AS
|
2006-06-21 11:12:46 +02:00
|
|
|
SELECT ta.a AS col1, tb.a AS col2 FROM test2.t3 ta, test2.t1 tb;
|
|
|
|
|
|
|
|
|
|
DROP VIEW test.v1;
|
|
|
|
|
DROP VIEW test2.t3;
|
|
|
|
|
DROP TABLE test2.t1, test1.t0;
|
|
|
|
|
DROP DATABASE test2;
|
|
|
|
|
DROP DATABASE test1;
|
2006-07-04 21:55:52 +02:00
|
|
|
|
2006-07-02 12:35:45 +02:00
|
|
|
|
|
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#20570 CURRENT_USER() in a VIEW with SQL SECURITY DEFINER returns
|
2009-03-05 14:35:03 +01:00
|
|
|
# invoker name
|
2006-07-02 12:35:45 +02:00
|
|
|
#
|
|
|
|
|
--disable_warnings
|
|
|
|
|
DROP VIEW IF EXISTS v1;
|
|
|
|
|
DROP VIEW IF EXISTS v2;
|
|
|
|
|
DROP VIEW IF EXISTS v3;
|
|
|
|
|
DROP FUNCTION IF EXISTS f1;
|
|
|
|
|
DROP FUNCTION IF EXISTS f2;
|
|
|
|
|
DROP PROCEDURE IF EXISTS p1;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v1 AS SELECT CURRENT_USER() AS cu;
|
|
|
|
|
|
|
|
|
|
CREATE FUNCTION f1() RETURNS VARCHAR(77) SQL SECURITY INVOKER
|
|
|
|
|
RETURN CURRENT_USER();
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v2 AS SELECT f1() AS cu;
|
|
|
|
|
|
|
|
|
|
CREATE PROCEDURE p1(OUT cu VARCHAR(77)) SQL SECURITY INVOKER
|
|
|
|
|
SET cu= CURRENT_USER();
|
|
|
|
|
delimiter |;
|
|
|
|
|
CREATE FUNCTION f2() RETURNS VARCHAR(77) SQL SECURITY INVOKER
|
|
|
|
|
BEGIN
|
|
|
|
|
DECLARE cu VARCHAR(77);
|
|
|
|
|
CALL p1(cu);
|
|
|
|
|
RETURN cu;
|
|
|
|
|
END|
|
|
|
|
|
delimiter ;|
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v3 AS SELECT f2() AS cu;
|
|
|
|
|
|
|
|
|
|
CREATE USER mysqltest_u1@localhost;
|
|
|
|
|
GRANT ALL ON test.* TO mysqltest_u1@localhost;
|
|
|
|
|
|
|
|
|
|
connect (conn1, localhost, mysqltest_u1,,);
|
|
|
|
|
|
|
|
|
|
--echo
|
|
|
|
|
--echo The following tests should all return 1.
|
|
|
|
|
--echo
|
|
|
|
|
SELECT CURRENT_USER() = 'mysqltest_u1@localhost';
|
|
|
|
|
SELECT f1() = 'mysqltest_u1@localhost';
|
|
|
|
|
CALL p1(@cu);
|
|
|
|
|
SELECT @cu = 'mysqltest_u1@localhost';
|
|
|
|
|
SELECT f2() = 'mysqltest_u1@localhost';
|
|
|
|
|
SELECT cu = 'root@localhost' FROM v1;
|
|
|
|
|
SELECT cu = 'root@localhost' FROM v2;
|
|
|
|
|
SELECT cu = 'root@localhost' FROM v3;
|
|
|
|
|
|
|
|
|
|
disconnect conn1;
|
|
|
|
|
connection default;
|
|
|
|
|
|
|
|
|
|
DROP VIEW v3;
|
|
|
|
|
DROP FUNCTION f2;
|
|
|
|
|
DROP PROCEDURE p1;
|
|
|
|
|
DROP FUNCTION f1;
|
|
|
|
|
DROP VIEW v2;
|
|
|
|
|
DROP VIEW v1;
|
|
|
|
|
DROP USER mysqltest_u1@localhost;
|
|
|
|
|
|
2007-01-18 10:48:17 +01:00
|
|
|
|
2006-11-27 14:15:32 +01:00
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#17254 Error for DEFINER security on VIEW provides too much info
|
2006-11-27 14:15:32 +01:00
|
|
|
#
|
|
|
|
|
connect (root,localhost,root,,);
|
|
|
|
|
connection root;
|
|
|
|
|
CREATE DATABASE db17254;
|
|
|
|
|
USE db17254;
|
|
|
|
|
CREATE TABLE t1 (f1 INT);
|
|
|
|
|
INSERT INTO t1 VALUES (10),(20);
|
|
|
|
|
CREATE USER def_17254@localhost;
|
|
|
|
|
GRANT SELECT ON db17254.* TO def_17254@localhost;
|
|
|
|
|
CREATE USER inv_17254@localhost;
|
|
|
|
|
GRANT SELECT ON db17254.t1 TO inv_17254@localhost;
|
|
|
|
|
GRANT CREATE VIEW ON db17254.* TO def_17254@localhost;
|
|
|
|
|
|
|
|
|
|
connect (def,localhost,def_17254,,db17254);
|
|
|
|
|
connection def;
|
|
|
|
|
CREATE VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
DROP USER def_17254@localhost;
|
|
|
|
|
|
|
|
|
|
connect (inv,localhost,inv_17254,,db17254);
|
|
|
|
|
connection inv;
|
|
|
|
|
--echo for a user
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
2006-11-27 14:15:32 +01:00
|
|
|
SELECT * FROM v1;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
--echo for a superuser
|
2009-03-03 21:34:18 +01:00
|
|
|
--error ER_NO_SUCH_USER
|
2006-11-27 14:15:32 +01:00
|
|
|
SELECT * FROM v1;
|
|
|
|
|
DROP USER inv_17254@localhost;
|
|
|
|
|
DROP DATABASE db17254;
|
|
|
|
|
disconnect def;
|
|
|
|
|
disconnect inv;
|
|
|
|
|
|
2007-01-18 10:48:17 +01:00
|
|
|
|
|
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#24404 strange bug with view+permission+prepared statement
|
2007-01-18 10:48:17 +01:00
|
|
|
#
|
|
|
|
|
--disable_warnings
|
|
|
|
|
DROP DATABASE IF EXISTS mysqltest_db1;
|
|
|
|
|
DROP DATABASE IF EXISTS mysqltest_db2;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
--error 0,ER_CANNOT_USER
|
|
|
|
|
DROP USER mysqltest_u1;
|
|
|
|
|
--error 0,ER_CANNOT_USER
|
|
|
|
|
DROP USER mysqltest_u2;
|
|
|
|
|
|
|
|
|
|
CREATE USER mysqltest_u1@localhost;
|
|
|
|
|
CREATE USER mysqltest_u2@localhost;
|
|
|
|
|
|
|
|
|
|
CREATE DATABASE mysqltest_db1;
|
|
|
|
|
CREATE DATABASE mysqltest_db2;
|
|
|
|
|
|
|
|
|
|
GRANT ALL ON mysqltest_db1.* TO mysqltest_u1@localhost WITH GRANT OPTION;
|
|
|
|
|
GRANT ALL ON mysqltest_db2.* TO mysqltest_u2@localhost;
|
|
|
|
|
|
|
|
|
|
connect (conn1, localhost, mysqltest_u1, , mysqltest_db1);
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1 (i INT);
|
|
|
|
|
INSERT INTO t1 VALUES (1);
|
|
|
|
|
|
|
|
|
|
# Use view with subquery for better coverage.
|
|
|
|
|
CREATE VIEW v1 AS SELECT i FROM t1 WHERE 1 IN (SELECT * FROM t1);
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t2 (s CHAR(7));
|
|
|
|
|
INSERT INTO t2 VALUES ('public');
|
|
|
|
|
|
|
|
|
|
GRANT SELECT ON v1 TO mysqltest_u2@localhost;
|
|
|
|
|
GRANT SELECT ON t2 TO mysqltest_u2@localhost;
|
|
|
|
|
|
|
|
|
|
connect (conn2, localhost, mysqltest_u2, , mysqltest_db2);
|
|
|
|
|
|
|
|
|
|
SELECT * FROM mysqltest_db1.v1, mysqltest_db1.t2;
|
|
|
|
|
PREPARE stmt1 FROM "SELECT * FROM mysqltest_db1.t2";
|
|
|
|
|
EXECUTE stmt1;
|
|
|
|
|
PREPARE stmt2 FROM "SELECT * FROM mysqltest_db1.v1, mysqltest_db1.t2";
|
|
|
|
|
EXECUTE stmt2;
|
|
|
|
|
|
|
|
|
|
connection conn1;
|
|
|
|
|
# Make table 't2' private.
|
|
|
|
|
REVOKE SELECT ON t2 FROM mysqltest_u2@localhost;
|
|
|
|
|
UPDATE t2 SET s = 'private' WHERE s = 'public';
|
|
|
|
|
|
|
|
|
|
connection conn2;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SELECT * FROM mysqltest_db1.v1, mysqltest_db1.t2;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
EXECUTE stmt1;
|
|
|
|
|
# Original bug was here: the statement didn't fail.
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
EXECUTE stmt2;
|
|
|
|
|
|
|
|
|
|
# Cleanup.
|
|
|
|
|
disconnect conn2;
|
|
|
|
|
disconnect conn1;
|
|
|
|
|
connection default;
|
|
|
|
|
REVOKE ALL ON mysqltest_db1.* FROM mysqltest_u1@localhost;
|
|
|
|
|
REVOKE ALL ON mysqltest_db2.* FROM mysqltest_u2@localhost;
|
|
|
|
|
DROP DATABASE mysqltest_db1;
|
|
|
|
|
DROP DATABASE mysqltest_db2;
|
|
|
|
|
DROP USER mysqltest_u1@localhost;
|
|
|
|
|
DROP USER mysqltest_u2@localhost;
|
|
|
|
|
|
2007-03-22 20:05:19 +01:00
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#26813 The SUPER privilege is wrongly required to alter a view created
|
|
|
|
|
# by another user.
|
2007-03-22 20:05:19 +01:00
|
|
|
#
|
|
|
|
|
connection root;
|
|
|
|
|
CREATE DATABASE db26813;
|
|
|
|
|
USE db26813;
|
|
|
|
|
CREATE TABLE t1(f1 INT, f2 INT);
|
|
|
|
|
CREATE VIEW v1 AS SELECT f1 FROM t1;
|
|
|
|
|
CREATE VIEW v2 AS SELECT f1 FROM t1;
|
|
|
|
|
CREATE VIEW v3 AS SELECT f1 FROM t1;
|
|
|
|
|
CREATE USER u26813@localhost;
|
|
|
|
|
GRANT DROP ON db26813.v1 TO u26813@localhost;
|
|
|
|
|
GRANT CREATE VIEW ON db26813.v2 TO u26813@localhost;
|
|
|
|
|
GRANT DROP, CREATE VIEW ON db26813.v3 TO u26813@localhost;
|
|
|
|
|
GRANT SELECT ON db26813.t1 TO u26813@localhost;
|
|
|
|
|
|
|
|
|
|
connect (u1,localhost,u26813,,db26813);
|
|
|
|
|
connection u1;
|
2007-09-20 16:05:09 +02:00
|
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
2007-03-22 20:05:19 +01:00
|
|
|
ALTER VIEW v1 AS SELECT f2 FROM t1;
|
2007-09-20 16:05:09 +02:00
|
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
2007-03-22 20:05:19 +01:00
|
|
|
ALTER VIEW v2 AS SELECT f2 FROM t1;
|
2007-09-20 16:05:09 +02:00
|
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
2007-03-22 20:05:19 +01:00
|
|
|
ALTER VIEW v3 AS SELECT f2 FROM t1;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
SHOW CREATE VIEW v3;
|
|
|
|
|
|
|
|
|
|
DROP USER u26813@localhost;
|
|
|
|
|
DROP DATABASE db26813;
|
|
|
|
|
disconnect u1;
|
2007-01-18 10:48:17 +01:00
|
|
|
|
2007-09-20 16:05:09 +02:00
|
|
|
--echo #
|
2009-03-03 21:34:18 +01:00
|
|
|
--echo # Bug#29908 A user can gain additional access through the ALTER VIEW.
|
2007-09-20 16:05:09 +02:00
|
|
|
--echo #
|
|
|
|
|
connection root;
|
|
|
|
|
CREATE DATABASE mysqltest_29908;
|
|
|
|
|
USE mysqltest_29908;
|
|
|
|
|
CREATE TABLE t1(f1 INT, f2 INT);
|
|
|
|
|
CREATE USER u29908_1@localhost;
|
|
|
|
|
CREATE DEFINER = u29908_1@localhost VIEW v1 AS SELECT f1 FROM t1;
|
|
|
|
|
CREATE DEFINER = u29908_1@localhost SQL SECURITY INVOKER VIEW v2 AS
|
|
|
|
|
SELECT f1 FROM t1;
|
|
|
|
|
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v1 TO u29908_1@localhost;
|
|
|
|
|
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_1@localhost;
|
|
|
|
|
GRANT SELECT ON mysqltest_29908.t1 TO u29908_1@localhost;
|
|
|
|
|
CREATE USER u29908_2@localhost;
|
|
|
|
|
GRANT DROP, CREATE VIEW ON mysqltest_29908.v1 TO u29908_2@localhost;
|
|
|
|
|
GRANT DROP, CREATE VIEW, SHOW VIEW ON mysqltest_29908.v2 TO u29908_2@localhost;
|
|
|
|
|
GRANT SELECT ON mysqltest_29908.t1 TO u29908_2@localhost;
|
|
|
|
|
|
|
|
|
|
connect (u2,localhost,u29908_2,,mysqltest_29908);
|
|
|
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
|
|
|
|
ALTER VIEW v1 AS SELECT f2 FROM t1;
|
2007-09-29 03:07:29 +02:00
|
|
|
--error ER_SPECIFIC_ACCESS_DENIED_ERROR
|
2007-09-20 16:05:09 +02:00
|
|
|
ALTER VIEW v2 AS SELECT f2 FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v2;
|
|
|
|
|
|
|
|
|
|
connect (u1,localhost,u29908_1,,mysqltest_29908);
|
|
|
|
|
ALTER VIEW v1 AS SELECT f2 FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
2007-09-29 03:07:29 +02:00
|
|
|
ALTER VIEW v2 AS SELECT f2 FROM t1;
|
2007-09-20 16:05:09 +02:00
|
|
|
SHOW CREATE VIEW v2;
|
|
|
|
|
|
|
|
|
|
connection root;
|
|
|
|
|
ALTER VIEW v1 AS SELECT f1 FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
2007-09-29 03:07:29 +02:00
|
|
|
ALTER VIEW v2 AS SELECT f1 FROM t1;
|
2007-09-20 16:05:09 +02:00
|
|
|
SHOW CREATE VIEW v2;
|
|
|
|
|
|
|
|
|
|
DROP USER u29908_1@localhost;
|
|
|
|
|
DROP USER u29908_2@localhost;
|
|
|
|
|
DROP DATABASE mysqltest_29908;
|
|
|
|
|
disconnect u1;
|
|
|
|
|
disconnect u2;
|
|
|
|
|
--echo #######################################################################
|
|
|
|
|
|
2007-03-21 22:34:15 +01:00
|
|
|
#
|
2009-03-03 21:34:18 +01:00
|
|
|
# Bug#24040 Create View don't succed with "all privileges" on a database.
|
2007-03-21 22:34:15 +01:00
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# Prepare.
|
|
|
|
|
|
|
|
|
|
--disable_warnings
|
|
|
|
|
DROP DATABASE IF EXISTS mysqltest1;
|
|
|
|
|
DROP DATABASE IF EXISTS mysqltest2;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
CREATE DATABASE mysqltest2;
|
|
|
|
|
|
|
|
|
|
# Test.
|
|
|
|
|
|
|
|
|
|
CREATE TABLE mysqltest1.t1(c1 INT);
|
|
|
|
|
CREATE TABLE mysqltest1.t2(c2 INT);
|
|
|
|
|
CREATE TABLE mysqltest1.t3(c3 INT);
|
|
|
|
|
CREATE TABLE mysqltest1.t4(c4 INT);
|
|
|
|
|
|
|
|
|
|
INSERT INTO mysqltest1.t1 VALUES (11), (12), (13), (14);
|
|
|
|
|
INSERT INTO mysqltest1.t2 VALUES (21), (22), (23), (24);
|
|
|
|
|
INSERT INTO mysqltest1.t3 VALUES (31), (32), (33), (34);
|
|
|
|
|
INSERT INTO mysqltest1.t4 VALUES (41), (42), (43), (44);
|
|
|
|
|
|
|
|
|
|
GRANT SELECT ON mysqltest1.t1 TO mysqltest_u1@localhost;
|
|
|
|
|
GRANT INSERT ON mysqltest1.t2 TO mysqltest_u1@localhost;
|
|
|
|
|
GRANT SELECT, UPDATE ON mysqltest1.t3 TO mysqltest_u1@localhost;
|
|
|
|
|
GRANT SELECT, DELETE ON mysqltest1.t4 TO mysqltest_u1@localhost;
|
|
|
|
|
|
|
|
|
|
GRANT ALL PRIVILEGES ON mysqltest2.* TO mysqltest_u1@localhost;
|
|
|
|
|
|
|
|
|
|
--connect (bug24040_con,localhost,mysqltest_u1,,mysqltest2)
|
|
|
|
|
--echo
|
|
|
|
|
--echo ---> connection: bug24040_con
|
|
|
|
|
|
|
|
|
|
SELECT * FROM mysqltest1.t1;
|
|
|
|
|
INSERT INTO mysqltest1.t2 VALUES(25);
|
|
|
|
|
UPDATE mysqltest1.t3 SET c3 = 331 WHERE c3 = 31;
|
|
|
|
|
DELETE FROM mysqltest1.t4 WHERE c4 = 44;
|
|
|
|
|
|
|
|
|
|
CREATE VIEW v1 AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE VIEW v2 AS SELECT * FROM mysqltest1.t2;
|
|
|
|
|
CREATE VIEW v3 AS SELECT * FROM mysqltest1.t3;
|
|
|
|
|
CREATE VIEW v4 AS SELECT * FROM mysqltest1.t4;
|
|
|
|
|
|
|
|
|
|
SELECT * FROM v1;
|
|
|
|
|
INSERT INTO v2 VALUES(26);
|
|
|
|
|
UPDATE v3 SET c3 = 332 WHERE c3 = 32;
|
|
|
|
|
DELETE FROM v4 WHERE c4 = 43;
|
|
|
|
|
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
CREATE VIEW v12 AS SELECT c1, c2 FROM mysqltest1.t1, mysqltest1.t2;
|
|
|
|
|
CREATE VIEW v13 AS SELECT c1, c3 FROM mysqltest1.t1, mysqltest1.t3;
|
|
|
|
|
CREATE VIEW v14 AS SELECT c1, c4 FROM mysqltest1.t1, mysqltest1.t4;
|
|
|
|
|
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
CREATE VIEW v21 AS SELECT c2, c1 FROM mysqltest1.t2, mysqltest1.t1;
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
CREATE VIEW v23 AS SELECT c2, c3 FROM mysqltest1.t2, mysqltest1.t3;
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
CREATE VIEW v24 AS SELECT c2, c4 FROM mysqltest1.t2, mysqltest1.t4;
|
|
|
|
|
|
|
|
|
|
CREATE VIEW v31 AS SELECT c3, c1 FROM mysqltest1.t3, mysqltest1.t1;
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
CREATE VIEW v32 AS SELECT c3, c2 FROM mysqltest1.t3, mysqltest1.t2;
|
|
|
|
|
CREATE VIEW v34 AS SELECT c3, c4 FROM mysqltest1.t3, mysqltest1.t4;
|
|
|
|
|
|
|
|
|
|
CREATE VIEW v41 AS SELECT c4, c1 FROM mysqltest1.t4, mysqltest1.t1;
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
CREATE VIEW v42 AS SELECT c4, c2 FROM mysqltest1.t4, mysqltest1.t2;
|
|
|
|
|
CREATE VIEW v43 AS SELECT c4, c3 FROM mysqltest1.t4, mysqltest1.t3;
|
|
|
|
|
|
|
|
|
|
--connection default
|
|
|
|
|
--echo
|
|
|
|
|
--echo ---> connection: default
|
|
|
|
|
|
|
|
|
|
SELECT * FROM mysqltest1.t1;
|
|
|
|
|
SELECT * FROM mysqltest1.t2;
|
|
|
|
|
SELECT * FROM mysqltest1.t3;
|
|
|
|
|
SELECT * FROM mysqltest1.t4;
|
|
|
|
|
|
|
|
|
|
# Cleanup.
|
|
|
|
|
|
2009-03-03 21:34:18 +01:00
|
|
|
disconnect bug24040_con;
|
2007-03-21 22:34:15 +01:00
|
|
|
|
|
|
|
|
DROP DATABASE mysqltest1;
|
|
|
|
|
DROP DATABASE mysqltest2;
|
|
|
|
|
DROP USER mysqltest_u1@localhost;
|
|
|
|
|
|
2009-02-26 18:00:44 +01:00
|
|
|
|
|
|
|
|
#
|
2009-03-05 14:35:03 +01:00
|
|
|
# Bug#41354 Access control is bypassed when all columns of a view are
|
|
|
|
|
# selected by * wildcard
|
2009-02-26 18:00:44 +01:00
|
|
|
|
|
|
|
|
CREATE DATABASE db1;
|
|
|
|
|
USE db1;
|
|
|
|
|
CREATE TABLE t1(f1 INT, f2 INT);
|
|
|
|
|
CREATE VIEW v1 AS SELECT f1, f2 FROM t1;
|
|
|
|
|
|
|
|
|
|
GRANT SELECT (f1) ON t1 TO foo;
|
|
|
|
|
GRANT SELECT (f1) ON v1 TO foo;
|
|
|
|
|
|
|
|
|
|
connect (addconfoo, localhost, foo,,);
|
|
|
|
|
connection addconfoo;
|
|
|
|
|
USE db1;
|
|
|
|
|
|
|
|
|
|
SELECT f1 FROM t1;
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
SELECT f2 FROM t1;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SELECT * FROM t1;
|
|
|
|
|
|
|
|
|
|
SELECT f1 FROM v1;
|
|
|
|
|
--error ER_COLUMNACCESS_DENIED_ERROR
|
|
|
|
|
SELECT f2 FROM v1;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SELECT * FROM v1;
|
|
|
|
|
|
|
|
|
|
connection default;
|
2009-03-03 21:34:18 +01:00
|
|
|
disconnect root;
|
2009-02-26 18:00:44 +01:00
|
|
|
disconnect addconfoo;
|
2009-03-05 14:35:03 +01:00
|
|
|
USE test;
|
2009-02-26 18:00:44 +01:00
|
|
|
REVOKE SELECT (f1) ON db1.t1 FROM foo;
|
|
|
|
|
REVOKE SELECT (f1) ON db1.v1 FROM foo;
|
|
|
|
|
DROP USER foo;
|
|
|
|
|
DROP VIEW db1.v1;
|
|
|
|
|
DROP TABLE db1.t1;
|
|
|
|
|
DROP DATABASE db1;
|
|
|
|
|
|
2009-03-05 14:35:03 +01:00
|
|
|
connection default;
|
2011-09-29 11:47:11 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
--echo Bug #11765687/#58677:
|
|
|
|
|
--echo No privilege on table/view, but can know #rows / underlying table's name
|
|
|
|
|
|
|
|
|
|
# As a root-like user
|
|
|
|
|
connect (root,localhost,root,,test);
|
|
|
|
|
connection root;
|
|
|
|
|
|
|
|
|
|
create database mysqltest1;
|
|
|
|
|
create table mysqltest1.t1 (i int);
|
|
|
|
|
create table mysqltest1.t2 (j int);
|
|
|
|
|
create table mysqltest1.t3 (k int, secret int);
|
|
|
|
|
|
|
|
|
|
create user alice@localhost;
|
|
|
|
|
create user bob@localhost;
|
|
|
|
|
create user cecil@localhost;
|
|
|
|
|
create user dan@localhost;
|
|
|
|
|
create user eugene@localhost;
|
|
|
|
|
create user fiona@localhost;
|
|
|
|
|
create user greg@localhost;
|
|
|
|
|
create user han@localhost;
|
|
|
|
|
create user inga@localhost;
|
|
|
|
|
create user jamie@localhost;
|
|
|
|
|
create user karl@localhost;
|
|
|
|
|
create user lena@localhost;
|
|
|
|
|
create user mhairi@localhost;
|
|
|
|
|
create user noam@localhost;
|
|
|
|
|
create user olga@localhost;
|
|
|
|
|
create user pjotr@localhost;
|
|
|
|
|
create user quintessa@localhost;
|
|
|
|
|
|
|
|
|
|
grant all privileges on mysqltest1.* to alice@localhost with grant option;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as alice
|
|
|
|
|
connect (test11765687,localhost,alice,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
create view v1 as select * from t1;
|
|
|
|
|
create view v2 as select * from v1, t2;
|
|
|
|
|
create view v3 as select k from t3;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.v1 to bob@localhost;
|
|
|
|
|
|
|
|
|
|
grant show view on mysqltest1.v1 to cecil@localhost;
|
|
|
|
|
|
|
|
|
|
grant select, show view on mysqltest1.v1 to dan@localhost;
|
|
|
|
|
grant select on mysqltest1.t1 to dan@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.* to eugene@localhost;
|
|
|
|
|
|
|
|
|
|
grant select, show view on mysqltest1.v2 to fiona@localhost;
|
|
|
|
|
|
|
|
|
|
grant select, show view on mysqltest1.v2 to greg@localhost;
|
|
|
|
|
grant show view on mysqltest1.v1 to greg@localhost;
|
|
|
|
|
|
|
|
|
|
grant select(k) on mysqltest1.t3 to han@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v3 to han@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t1 to inga@localhost;
|
|
|
|
|
grant select on mysqltest1.t2 to inga@localhost;
|
|
|
|
|
grant select on mysqltest1.v1 to inga@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v2 to inga@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t1 to jamie@localhost;
|
|
|
|
|
grant select on mysqltest1.t2 to jamie@localhost;
|
|
|
|
|
grant show view on mysqltest1.v1 to jamie@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v2 to jamie@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t1 to karl@localhost;
|
|
|
|
|
grant select on mysqltest1.t2 to karl@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v1 to karl@localhost;
|
|
|
|
|
grant select on mysqltest1.v2 to karl@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t1 to lena@localhost;
|
|
|
|
|
grant select on mysqltest1.t2 to lena@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v1 to lena@localhost;
|
|
|
|
|
grant show view on mysqltest1.v2 to lena@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t1 to mhairi@localhost;
|
|
|
|
|
grant select on mysqltest1.t2 to mhairi@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v1 to mhairi@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v2 to mhairi@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t1 to noam@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v1 to noam@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v2 to noam@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t2 to olga@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v1 to olga@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v2 to olga@localhost;
|
|
|
|
|
|
|
|
|
|
grant select on mysqltest1.t1 to pjotr@localhost;
|
|
|
|
|
grant select on mysqltest1.t2 to pjotr@localhost;
|
|
|
|
|
grant select, show view on mysqltest1.v2 to pjotr@localhost;
|
|
|
|
|
|
|
|
|
|
grant select, show view on mysqltest1.v1 to quintessa@localhost;
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as bob
|
|
|
|
|
connect (test11765687,localhost,bob,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v1; # Should succeed.
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v1; # fail, no SHOW_VIEW
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as cecil
|
|
|
|
|
connect (test11765687,localhost,cecil,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
select * from v1; # fail, no SELECT
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select * from v1; # fail, no SELECT
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as dan
|
|
|
|
|
connect (test11765687,localhost,dan,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v1; # Should succeed.
|
|
|
|
|
explain select * from v1; # Should succeed.
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as eugene
|
|
|
|
|
connect (test11765687,localhost,eugene,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v1; # Should succeed.
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v1; # fail, no SHOW_VIEW
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as fiona
|
|
|
|
|
connect (test11765687,localhost,fiona,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2; # Should succeed.
|
|
|
|
|
show create view v2; # Should succeed, but...
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select * from t1; # fail, shouldn't see t1!
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
# err msg must give view name, no table names!!
|
|
|
|
|
explain select * from v1; # fail, have no privs on v1!
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select * from t2; # fail, have no privs on t2!
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2; # fail, shouldn't see t2!
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as greg
|
|
|
|
|
connect (test11765687,localhost,greg,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2; # Should succeed.
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select * from v1; # fail; no SELECT on v1!
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2; # fail; no SELECT on v1!
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as han
|
|
|
|
|
connect (test11765687,localhost,han,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
select * from t3; # don't have privs on all columns,
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select * from t3; # so EXPLAIN on "forbidden" columns should fail.
|
|
|
|
|
select k from t3; # but we do have SELECT on column k though,
|
|
|
|
|
explain select k from t3; # so EXPLAIN just on k should work,
|
|
|
|
|
select * from v3; # and so should SELECT on view only using allowed columns
|
|
|
|
|
explain select * from v3; # as should the associated EXPLAIN
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as inga
|
|
|
|
|
connect (test11765687,localhost,inga,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has sel/show on v2, sel on t1/t2, only sel v1
|
|
|
|
|
# fail: lacks show on v1
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as jamie
|
|
|
|
|
connect (test11765687,localhost,jamie,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has sel/show on v2, sel on t1/t2, only show v1
|
|
|
|
|
# fail: lacks sel on v1
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as karl
|
|
|
|
|
connect (test11765687,localhost,karl,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has sel only on v2, sel on t1/t2, sel/show v1
|
|
|
|
|
# fail: lacks show on v2
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as lena
|
|
|
|
|
|
|
|
|
|
connect (test11765687,localhost,lena,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has show only on v2, sel on t1/t2, sel/show v1
|
|
|
|
|
# fail: lacks sel on v2
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as mhairi
|
|
|
|
|
connect (test11765687,localhost,mhairi,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has sel/show on v2, sel on t1/t2, sel/show v1
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as noam
|
|
|
|
|
connect (test11765687,localhost,noam,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has sel/show on v2, sel only on t1, sel/show v1 (no sel on t2!)
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as olga
|
|
|
|
|
connect (test11765687,localhost,olga,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has sel/show on v2, sel only on t2, sel/show v1 (no sel on t1!)
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as pjotr
|
|
|
|
|
connect (test11765687,localhost,pjotr,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v2;
|
|
|
|
|
# has sel/show on v2, sel only on t2, nothing on v1
|
|
|
|
|
# fail: lacks show on v1
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v2;
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as quintessa
|
|
|
|
|
connect (test11765687,localhost,quintessa,,mysqltest1);
|
|
|
|
|
connection test11765687;
|
|
|
|
|
|
|
|
|
|
select * from v1; # Should succeed.
|
|
|
|
|
--error ER_VIEW_NO_EXPLAIN
|
|
|
|
|
explain select * from v1; # fail: lacks select on t1
|
|
|
|
|
|
|
|
|
|
disconnect test11765687;
|
|
|
|
|
|
|
|
|
|
# cleanup
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
--echo ... as root again at last: clean-up time!
|
|
|
|
|
connection root;
|
|
|
|
|
|
|
|
|
|
drop user alice@localhost;
|
|
|
|
|
drop user bob@localhost;
|
|
|
|
|
drop user cecil@localhost;
|
|
|
|
|
drop user dan@localhost;
|
|
|
|
|
drop user eugene@localhost;
|
|
|
|
|
drop user fiona@localhost;
|
|
|
|
|
drop user greg@localhost;
|
|
|
|
|
drop user han@localhost;
|
|
|
|
|
drop user inga@localhost;
|
|
|
|
|
drop user jamie@localhost;
|
|
|
|
|
drop user karl@localhost;
|
|
|
|
|
drop user lena@localhost;
|
|
|
|
|
drop user mhairi@localhost;
|
|
|
|
|
drop user noam@localhost;
|
|
|
|
|
drop user olga@localhost;
|
|
|
|
|
drop user pjotr@localhost;
|
|
|
|
|
drop user quintessa@localhost;
|
|
|
|
|
|
|
|
|
|
drop database mysqltest1;
|
|
|
|
|
|
|
|
|
|
disconnect root;
|
|
|
|
|
|
|
|
|
|
connection default;
|
|
|
|
|
|
2007-01-18 10:48:17 +01:00
|
|
|
--echo End of 5.0 tests.
|
2007-03-23 07:16:30 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Test that ALTER VIEW accepts DEFINER and ALGORITHM, see bug#16425.
|
|
|
|
|
#
|
|
|
|
|
connection default;
|
|
|
|
|
--disable_warnings
|
|
|
|
|
DROP VIEW IF EXISTS v1;
|
|
|
|
|
DROP TABLE IF EXISTS t1;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1 (i INT);
|
|
|
|
|
CREATE VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
|
|
|
|
|
ALTER VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
|
|
|
|
ALTER DEFINER=no_such@user_1 VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
|
|
|
|
ALTER ALGORITHM=MERGE VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
|
|
|
|
ALTER ALGORITHM=TEMPTABLE DEFINER=no_such@user_2 VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
|
|
|
|
|
|
|
|
|
DROP VIEW v1;
|
|
|
|
|
DROP TABLE t1;
|
|
|
|
|
|
2009-02-25 11:19:29 +01:00
|
|
|
#
|
|
|
|
|
# Bug#37191: Failed assertion in CREATE VIEW
|
|
|
|
|
#
|
|
|
|
|
CREATE USER mysqluser1@localhost;
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
|
|
|
|
|
USE mysqltest1;
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1 ( a INT );
|
|
|
|
|
CREATE TABLE t2 ( b INT );
|
|
|
|
|
|
|
|
|
|
INSERT INTO t1 VALUES (1), (2);
|
|
|
|
|
INSERT INTO t2 VALUES (1), (2);
|
|
|
|
|
|
|
|
|
|
GRANT CREATE VIEW ON mysqltest1.* TO mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
GRANT SELECT ON t1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT INSERT ON t2 TO mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
--connect (connection1, localhost, mysqluser1, , mysqltest1)
|
|
|
|
|
|
|
|
|
|
--echo This would lead to failed assertion.
|
|
|
|
|
CREATE VIEW v1 AS SELECT a, b FROM t1, t2;
|
|
|
|
|
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SELECT * FROM v1;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SELECT b FROM v1;
|
|
|
|
|
|
|
|
|
|
--disconnect connection1
|
|
|
|
|
--connection default
|
|
|
|
|
|
|
|
|
|
DROP TABLE t1, t2;
|
|
|
|
|
DROP VIEW v1;
|
|
|
|
|
DROP DATABASE mysqltest1;
|
|
|
|
|
DROP USER mysqluser1@localhost;
|
|
|
|
|
USE test;
|
|
|
|
|
|
2007-03-23 07:16:30 +01:00
|
|
|
--echo End of 5.1 tests.
|
2008-09-03 16:45:40 +02:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Bug#36086: SELECT * from views don't check column grants
|
|
|
|
|
#
|
|
|
|
|
CREATE USER mysqluser1@localhost;
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
|
|
|
|
|
USE mysqltest1;
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1 ( a INT, b INT );
|
|
|
|
|
CREATE TABLE t2 ( a INT, b INT );
|
|
|
|
|
|
|
|
|
|
CREATE VIEW v1 AS SELECT a, b FROM t1;
|
|
|
|
|
|
|
|
|
|
GRANT SELECT( a ) ON v1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT UPDATE( b ) ON t2 TO mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
--connect (connection1, localhost, mysqluser1, , test)
|
|
|
|
|
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SELECT * FROM mysqltest1.v1;
|
|
|
|
|
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
CREATE VIEW v1 AS SELECT * FROM mysqltest1.t2;
|
|
|
|
|
|
|
|
|
|
--disconnect connection1
|
|
|
|
|
|
|
|
|
|
--connection default
|
|
|
|
|
|
|
|
|
|
DROP TABLE t1, t2;
|
|
|
|
|
DROP VIEW v1;
|
|
|
|
|
DROP DATABASE mysqltest1;
|
|
|
|
|
DROP USER mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
#
|
2009-03-06 15:56:17 +01:00
|
|
|
# Bug#35600 Security breach via view, I_S table and prepared
|
|
|
|
|
# statement/stored procedure
|
2008-09-03 16:45:40 +02:00
|
|
|
#
|
|
|
|
|
CREATE USER mysqluser1@localhost;
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
|
|
|
|
|
USE mysqltest1;
|
|
|
|
|
|
|
|
|
|
CREATE VIEW v1 AS SELECT * FROM information_schema.tables LIMIT 1;
|
|
|
|
|
CREATE ALGORITHM = TEMPTABLE VIEW v2 AS SELECT 1 AS A;
|
|
|
|
|
|
2008-09-09 12:49:08 +02:00
|
|
|
CREATE VIEW test.v3 AS SELECT 1 AS a;
|
|
|
|
|
|
2008-09-03 16:45:40 +02:00
|
|
|
--connection default
|
|
|
|
|
GRANT SELECT ON mysqltest1.* to mysqluser1@localhost;
|
2008-09-09 12:49:08 +02:00
|
|
|
GRANT ALL ON test.* TO mysqluser1@localhost;
|
2008-09-03 16:45:40 +02:00
|
|
|
|
|
|
|
|
--connect (connection1, localhost, mysqluser1, , test)
|
|
|
|
|
PREPARE stmt_v1 FROM "SELECT * FROM mysqltest1.v1";
|
|
|
|
|
PREPARE stmt_v2 FROM "SELECT * FROM mysqltest1.v2";
|
|
|
|
|
|
|
|
|
|
--connection default
|
|
|
|
|
REVOKE SELECT ON mysqltest1.* FROM mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
--connection connection1
|
|
|
|
|
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
EXECUTE stmt_v1;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
EXECUTE stmt_v2;
|
|
|
|
|
--disconnect connection1
|
2008-09-09 12:49:08 +02:00
|
|
|
|
|
|
|
|
--connect (connection2, localhost, mysqluser1,,)
|
|
|
|
|
PREPARE stmt FROM "SELECT a FROM v3";
|
|
|
|
|
EXECUTE stmt;
|
|
|
|
|
--disconnect connection2
|
|
|
|
|
|
2008-09-03 16:45:40 +02:00
|
|
|
--connection default
|
|
|
|
|
DROP VIEW v1, v2;
|
|
|
|
|
DROP DATABASE mysqltest1;
|
2008-09-09 12:49:08 +02:00
|
|
|
DROP VIEW test.v3;
|
2008-09-03 16:45:40 +02:00
|
|
|
DROP USER mysqluser1@localhost;
|
2009-03-06 15:56:17 +01:00
|
|
|
USE test;
|
|
|
|
|
|
2009-09-28 13:25:47 +02:00
|
|
|
--echo #
|
|
|
|
|
--echo # Bug#35996: SELECT + SHOW VIEW should be enough to display view
|
|
|
|
|
--echo # definition
|
|
|
|
|
--echo #
|
|
|
|
|
-- source include/not_embedded.inc
|
|
|
|
|
CREATE USER mysqluser1@localhost;
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
CREATE DATABASE mysqltest2;
|
|
|
|
|
GRANT USAGE, SELECT, CREATE VIEW, SHOW VIEW
|
|
|
|
|
ON mysqltest2.* TO mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
USE mysqltest1;
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1( a INT );
|
|
|
|
|
CREATE TABLE t2( a INT, b INT );
|
|
|
|
|
CREATE FUNCTION f1() RETURNS INT RETURN 1;
|
|
|
|
|
CREATE VIEW v1 AS SELECT 1 AS a;
|
|
|
|
|
CREATE VIEW v2 AS SELECT 1 AS a, 2 AS b;
|
|
|
|
|
|
|
|
|
|
GRANT SELECT ON TABLE t1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT SELECT (a, b) ON TABLE t2 TO mysqluser1@localhost;
|
|
|
|
|
GRANT EXECUTE ON FUNCTION f1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT SELECT ON TABLE v1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT SELECT (a, b) ON TABLE v2 TO mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
CREATE VIEW v_t1 AS SELECT * FROM t1;
|
|
|
|
|
CREATE VIEW v_t2 AS SELECT * FROM t2;
|
|
|
|
|
CREATE VIEW v_f1 AS SELECT f1() AS a;
|
|
|
|
|
CREATE VIEW v_v1 AS SELECT * FROM v1;
|
|
|
|
|
CREATE VIEW v_v2 AS SELECT * FROM v2;
|
|
|
|
|
|
|
|
|
|
GRANT SELECT, SHOW VIEW ON v_t1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT SELECT, SHOW VIEW ON v_t2 TO mysqluser1@localhost;
|
|
|
|
|
GRANT SELECT, SHOW VIEW ON v_f1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT SELECT, SHOW VIEW ON v_v1 TO mysqluser1@localhost;
|
|
|
|
|
GRANT SELECT, SHOW VIEW ON v_v2 TO mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
--connect (connection1, localhost, mysqluser1,, mysqltest2)
|
|
|
|
|
CREATE VIEW v_mysqluser1_t1 AS SELECT * FROM mysqltest1.t1;
|
|
|
|
|
CREATE VIEW v_mysqluser1_t2 AS SELECT * FROM mysqltest1.t2;
|
|
|
|
|
CREATE VIEW v_mysqluser1_f1 AS SELECT mysqltest1.f1() AS a;
|
|
|
|
|
CREATE VIEW v_mysqluser1_v1 AS SELECT * FROM mysqltest1.v1;
|
|
|
|
|
CREATE VIEW v_mysqluser1_v2 AS SELECT * FROM mysqltest1.v2;
|
|
|
|
|
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_t1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_t2;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_f1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_v1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_v2;
|
|
|
|
|
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_t1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_t2;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_f1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_v1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_v2;
|
|
|
|
|
|
|
|
|
|
--connection default
|
|
|
|
|
REVOKE SELECT ON TABLE t1 FROM mysqluser1@localhost;
|
|
|
|
|
REVOKE SELECT (a) ON TABLE t2 FROM mysqluser1@localhost;
|
|
|
|
|
REVOKE EXECUTE ON FUNCTION f1 FROM mysqluser1@localhost;
|
|
|
|
|
REVOKE SELECT ON TABLE v1 FROM mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
--connection connection1
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_t1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_t2;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_f1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_v1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_v2;
|
|
|
|
|
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_t1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_t2;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_f1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_v1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_v2;
|
|
|
|
|
|
|
|
|
|
--connection default
|
|
|
|
|
--echo # Testing the case when the views reference missing objects.
|
|
|
|
|
--echo # Obviously, there are no privileges to check for, so we
|
|
|
|
|
--echo # need only each object type once.
|
|
|
|
|
DROP TABLE t1;
|
|
|
|
|
DROP FUNCTION f1;
|
|
|
|
|
DROP VIEW v1;
|
|
|
|
|
|
|
|
|
|
--connection connection1
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_t1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_f1;
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_v1;
|
|
|
|
|
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_t1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_f1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_v1;
|
|
|
|
|
|
|
|
|
|
--connection default
|
|
|
|
|
REVOKE SHOW VIEW ON v_t1 FROM mysqluser1@localhost;
|
|
|
|
|
REVOKE SHOW VIEW ON v_f1 FROM mysqluser1@localhost;
|
|
|
|
|
REVOKE SHOW VIEW ON v_v1 FROM mysqluser1@localhost;
|
|
|
|
|
|
|
|
|
|
--connection connection1
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_t1;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_f1;
|
|
|
|
|
--error ER_TABLEACCESS_DENIED_ERROR
|
|
|
|
|
SHOW CREATE VIEW mysqltest1.v_v1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_t1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_f1;
|
|
|
|
|
SHOW CREATE VIEW v_mysqluser1_v1;
|
|
|
|
|
|
|
|
|
|
--disconnect connection1
|
|
|
|
|
--connection default
|
|
|
|
|
DROP USER mysqluser1@localhost;
|
|
|
|
|
DROP DATABASE mysqltest1;
|
|
|
|
|
DROP DATABASE mysqltest2;
|
|
|
|
|
USE test;
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1( a INT );
|
|
|
|
|
CREATE DEFINER = no_such_user@no_such_host VIEW v1 AS SELECT * FROM t1;
|
|
|
|
|
SHOW CREATE VIEW v1;
|
|
|
|
|
DROP TABLE t1;
|
|
|
|
|
DROP VIEW v1;
|
|
|
|
|
|
2009-03-06 15:56:17 +01:00
|
|
|
|
2009-10-16 13:12:21 +02:00
|
|
|
--echo #
|
|
|
|
|
--echo # Bug #46019: ERROR 1356 When selecting from within another
|
|
|
|
|
--echo # view that has Group By
|
|
|
|
|
--echo #
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
USE mysqltest1;
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t1 (a INT);
|
|
|
|
|
|
|
|
|
|
CREATE SQL SECURITY INVOKER VIEW v1 AS SELECT a FROM t1 GROUP BY a;
|
|
|
|
|
CREATE SQL SECURITY INVOKER VIEW v2 AS SELECT a FROM v1;
|
|
|
|
|
|
|
|
|
|
CREATE USER mysqluser1;
|
|
|
|
|
|
|
|
|
|
GRANT SELECT ON TABLE t1 TO mysqluser1;
|
|
|
|
|
GRANT SELECT, SHOW VIEW ON TABLE v1 TO mysqluser1;
|
|
|
|
|
GRANT SELECT, SHOW VIEW ON TABLE v2 TO mysqluser1;
|
|
|
|
|
|
|
|
|
|
--connect (mysqluser1, localhost, mysqluser1,,mysqltest1)
|
|
|
|
|
SELECT a FROM v1;
|
|
|
|
|
SELECT a FROM v2;
|
|
|
|
|
|
|
|
|
|
--connection default
|
|
|
|
|
--disconnect mysqluser1
|
|
|
|
|
DROP USER mysqluser1;
|
|
|
|
|
DROP DATABASE mysqltest1;
|
2010-02-12 03:54:14 +01:00
|
|
|
USE test;
|
|
|
|
|
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Bug#47734: Assertion failed: ! is_set() when locking a view with non-existing definer
|
|
|
|
|
--echo #
|
|
|
|
|
|
|
|
|
|
--disable_warnings
|
|
|
|
|
DROP VIEW IF EXISTS v1;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
|
|
|
|
|
CREATE DEFINER=`unknown`@`unknown` SQL SECURITY DEFINER VIEW v1 AS SELECT 1;
|
|
|
|
|
--error ER_NO_SUCH_USER
|
|
|
|
|
LOCK TABLES v1 READ;
|
|
|
|
|
DROP VIEW v1;
|
2011-01-12 14:08:30 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Bug #58499 "DEFINER-security view selecting from INVOKER-security view
|
|
|
|
|
--echo # access check wrong".
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Check that we correctly handle privileges for various combinations
|
|
|
|
|
--echo # of INVOKER and DEFINER-security views using each other.
|
|
|
|
|
--disable_warnings
|
|
|
|
|
DROP DATABASE IF EXISTS mysqltest1;
|
|
|
|
|
--enable_warnings
|
|
|
|
|
CREATE DATABASE mysqltest1;
|
|
|
|
|
USE mysqltest1;
|
|
|
|
|
CREATE TABLE t1 (i INT);
|
|
|
|
|
CREATE TABLE t2 (j INT);
|
|
|
|
|
INSERT INTO t1 VALUES (1);
|
|
|
|
|
INSERT INTO t2 VALUES (2);
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # 1) DEFINER-security view uses INVOKER-security view (covers
|
|
|
|
|
--echo # scenario originally described in the bug report).
|
|
|
|
|
CREATE SQL SECURITY INVOKER VIEW v1_uses_t1 AS SELECT * FROM t1;
|
|
|
|
|
CREATE SQL SECURITY INVOKER VIEW v1_uses_t2 AS SELECT * FROM t2;
|
|
|
|
|
CREATE USER 'mysqluser1'@'%';
|
|
|
|
|
GRANT CREATE VIEW ON mysqltest1.* TO 'mysqluser1'@'%';
|
|
|
|
|
GRANT SELECT ON t1 TO 'mysqluser1'@'%';
|
|
|
|
|
--echo # To be able create 'v2_uses_t2' we also need select on t2.
|
|
|
|
|
GRANT SELECT ON t2 TO 'mysqluser1'@'%';
|
|
|
|
|
GRANT SELECT ON v1_uses_t1 TO 'mysqluser1'@'%';
|
|
|
|
|
GRANT SELECT ON v1_uses_t2 TO 'mysqluser1'@'%';
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser1'.
|
|
|
|
|
--connect (mysqluser1, localhost, mysqluser1,,mysqltest1)
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v2_uses_t1 AS SELECT * FROM v1_uses_t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v2_uses_t2 AS SELECT * FROM v1_uses_t2;
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'default'.
|
|
|
|
|
--connection default
|
|
|
|
|
CREATE USER 'mysqluser2'@'%';
|
|
|
|
|
GRANT SELECT ON v2_uses_t1 TO 'mysqluser2'@'%';
|
|
|
|
|
GRANT SELECT ON v2_uses_t2 TO 'mysqluser2'@'%';
|
|
|
|
|
GRANT SELECT ON t2 TO 'mysqluser2'@'%';
|
|
|
|
|
GRANT CREATE VIEW ON mysqltest1.* TO 'mysqluser2'@'%';
|
|
|
|
|
--echo # Make 'mysqluser1' unable to access t2.
|
|
|
|
|
REVOKE SELECT ON t2 FROM 'mysqluser1'@'%';
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser2'.
|
|
|
|
|
--connect (mysqluser2, localhost, mysqluser2,,mysqltest1)
|
|
|
|
|
--echo # The below statement should succeed thanks to suid nature of v2_uses_t1.
|
|
|
|
|
SELECT * FROM v2_uses_t1;
|
|
|
|
|
--echo # The below statement should fail due to suid nature of v2_uses_t2.
|
|
|
|
|
--error ER_VIEW_INVALID
|
|
|
|
|
SELECT * FROM v2_uses_t2;
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # 2) INVOKER-security view uses INVOKER-security view.
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'default'.
|
|
|
|
|
--connection default
|
|
|
|
|
DROP VIEW v2_uses_t1, v2_uses_t2;
|
|
|
|
|
CREATE SQL SECURITY INVOKER VIEW v2_uses_t1 AS SELECT * FROM v1_uses_t1;
|
|
|
|
|
CREATE SQL SECURITY INVOKER VIEW v2_uses_t2 AS SELECT * FROM v1_uses_t2;
|
|
|
|
|
GRANT SELECT ON v2_uses_t1 TO 'mysqluser1'@'%';
|
|
|
|
|
GRANT SELECT ON v2_uses_t2 TO 'mysqluser1'@'%';
|
|
|
|
|
GRANT SELECT ON v1_uses_t1 TO 'mysqluser2'@'%';
|
|
|
|
|
GRANT SELECT ON v1_uses_t2 TO 'mysqluser2'@'%';
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser1'.
|
|
|
|
|
--connection mysqluser1
|
|
|
|
|
--echo # For both versions of 'v2' 'mysqluser1' privileges should be used.
|
|
|
|
|
SELECT * FROM v2_uses_t1;
|
|
|
|
|
--error ER_VIEW_INVALID
|
|
|
|
|
SELECT * FROM v2_uses_t2;
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser2'.
|
|
|
|
|
--connection mysqluser2
|
|
|
|
|
--echo # And now for both versions of 'v2' 'mysqluser2' privileges should
|
|
|
|
|
--echo # be used.
|
|
|
|
|
--error ER_VIEW_INVALID
|
|
|
|
|
SELECT * FROM v2_uses_t1;
|
|
|
|
|
SELECT * FROM v2_uses_t2;
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # 3) INVOKER-security view uses DEFINER-security view.
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'default'.
|
|
|
|
|
--connection default
|
|
|
|
|
DROP VIEW v1_uses_t1, v1_uses_t2;
|
|
|
|
|
--echo # To be able create 'v1_uses_t2' we also need select on t2.
|
|
|
|
|
GRANT SELECT ON t2 TO 'mysqluser1'@'%';
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser1'.
|
|
|
|
|
--connection mysqluser1
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v1_uses_t1 AS SELECT * FROM t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v1_uses_t2 AS SELECT * FROM t2;
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'default'.
|
|
|
|
|
--connection default
|
|
|
|
|
--echo # Make 'mysqluser1' unable to access t2.
|
|
|
|
|
REVOKE SELECT ON t2 FROM 'mysqluser1'@'%';
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser2'.
|
|
|
|
|
--connection mysqluser2
|
|
|
|
|
--echo # Due to suid nature of v1_uses_t1 and v1_uses_t2 the first
|
|
|
|
|
--echo # select should succeed and the second select should fail.
|
|
|
|
|
SELECT * FROM v2_uses_t1;
|
|
|
|
|
--error ER_VIEW_INVALID
|
|
|
|
|
SELECT * FROM v2_uses_t2;
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # 4) DEFINER-security view uses DEFINER-security view.
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'default'.
|
|
|
|
|
--connection default
|
|
|
|
|
DROP VIEW v2_uses_t1, v2_uses_t2;
|
|
|
|
|
--echo # To be able create 'v2_uses_t2' we also need select on t2.
|
|
|
|
|
GRANT SELECT ON t2 TO 'mysqluser1'@'%';
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser2'.
|
|
|
|
|
--connection mysqluser2
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v2_uses_t1 AS SELECT * FROM v1_uses_t1;
|
|
|
|
|
CREATE SQL SECURITY DEFINER VIEW v2_uses_t2 AS SELECT * FROM v1_uses_t2;
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'default'.
|
|
|
|
|
--connection default
|
|
|
|
|
--echo # Make 'mysqluser1' unable to access t2.
|
|
|
|
|
REVOKE SELECT ON t2 FROM 'mysqluser1'@'%';
|
|
|
|
|
--echo #
|
|
|
|
|
--echo # Connection 'mysqluser2'.
|
|
|
|
|
--connection mysqluser2
|
|
|
|
|
--echo # Again privileges of creator of innermost views should apply.
|
|
|
|
|
SELECT * FROM v2_uses_t1;
|
|
|
|
|
--error ER_VIEW_INVALID
|
|
|
|
|
SELECT * FROM v2_uses_t2;
|
|
|
|
|
|
|
|
|
|
--disconnect mysqluser1
|
|
|
|
|
--disconnect mysqluser2
|
|
|
|
|
--connection default
|
|
|
|
|
USE test;
|
|
|
|
|
DROP DATABASE mysqltest1;
|
|
|
|
|
DROP USER 'mysqluser1'@'%';
|
|
|
|
|
DROP USER 'mysqluser2'@'%';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Wait till we reached the initial number of concurrent sessions
|
|
|
|
|
--source include/wait_until_count_sessions.inc
|