mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-30 18:41:56 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix privilege checking for sequence

Browse source 
MDEV-13732 User with SELECT privilege can ALTER sequence
This commit is contained in:
Monty 2018-02-14 16:43:22 +02:00
parent dc09f8f29c
commit 1fe9092d06
3 changed files with 124 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
mysql-test/suite/sql_sequence/grant.result Normal file
View file

@ -0,0 +1,60 @@
SET @@SQL_MODE = REPLACE(@@SQL_MODE, 'NO_AUTO_CREATE_USER', '');
create database mysqltest_1;
use mysqltest_1;
grant all on mysqltest_1.* to 'normal'@'%';
grant select on mysqltest_1.* to 'read_only'@'%';
grant select,insert on mysqltest_1.* to 'read_write'@'%';
grant select,insert,alter on mysqltest_1.* to 'alter'@'%';
grant alter on mysqltest_1.* to only_alter@'%';
connect normal,localhost,normal,,mysqltest_1;
connect read_only,localhost,read_only,,mysqltest_1;
connect read_write,localhost,read_write,,mysqltest_1;
connect alter,localhost,alter,,mysqltest_1;
connect only_alter, localhost, only_alter,,mysqltest_1;
connection normal;
create sequence s1;
select next value for s1;
next value for s1
1
alter sequence s1 restart= 11;
select * from s1;
next_not_cached_value minimum_value maximum_value start_value increment cache_size cycle_option cycle_count
11 1 9223372036854775806 1 1 1000 0 0
connection read_only;
select next value for s1;
ERROR 42000: INSERT command denied to user 'read_only'@'localhost' for table 's1'
alter sequence s1 restart= 11;
ERROR 42000: ALTER command denied to user 'read_only'@'localhost' for table 's1'
select * from s1;
next_not_cached_value minimum_value maximum_value start_value increment cache_size cycle_option cycle_count
11 1 9223372036854775806 1 1 1000 0 0
connection read_write;
select next value for s1;
next value for s1
11
alter sequence s1 restart= 11;
ERROR 42000: ALTER command denied to user 'read_write'@'localhost' for table 's1'
select * from s1;
next_not_cached_value minimum_value maximum_value start_value increment cache_size cycle_option cycle_count
1011 1 9223372036854775806 1 1 1000 0 0
connection alter;
select next value for s1;
next value for s1
12
alter sequence s1 restart= 11;
select * from s1;
next_not_cached_value minimum_value maximum_value start_value increment cache_size cycle_option cycle_count
11 1 9223372036854775806 1 1 1000 0 0
connection only_alter;
select next value for s1;
ERROR 42000: INSERT command denied to user 'only_alter'@'localhost' for table 's1'
alter sequence s1 restart= 11;
select * from s1;
ERROR 42000: SELECT command denied to user 'only_alter'@'localhost' for table 's1'
connection default;
drop database mysqltest_1;
drop user 'normal'@'%';
drop user 'read_only'@'%';
drop user 'read_write'@'%';
drop user 'alter'@'%';
drop user 'only_alter'@'%';

63
mysql-test/suite/sql_sequence/grant.test Normal file
View file

@ -0,0 +1,63 @@
#
# Test some grants with sequences
# Note that replication.test also does some grant testing
#
SET @@SQL_MODE = REPLACE(@@SQL_MODE, 'NO_AUTO_CREATE_USER', '');
create database mysqltest_1;
use mysqltest_1;
grant all on mysqltest_1.* to 'normal'@'%';
grant select on mysqltest_1.* to 'read_only'@'%';
grant select,insert on mysqltest_1.* to 'read_write'@'%';
grant select,insert,alter on mysqltest_1.* to 'alter'@'%';
grant alter on mysqltest_1.* to only_alter@'%';
connect(normal,localhost,normal,,mysqltest_1);
connect(read_only,localhost,read_only,,mysqltest_1);
connect(read_write,localhost,read_write,,mysqltest_1);
connect(alter,localhost,alter,,mysqltest_1);
connect(only_alter, localhost, only_alter,,mysqltest_1);
connection normal;
create sequence s1;
select next value for s1;
alter sequence s1 restart= 11;
select * from s1;
connection read_only;
--error ER_TABLEACCESS_DENIED_ERROR
select next value for s1;
--error ER_TABLEACCESS_DENIED_ERROR
alter sequence s1 restart= 11;
select * from s1;
connection read_write;
select next value for s1;
--error ER_TABLEACCESS_DENIED_ERROR
alter sequence s1 restart= 11;
select * from s1;
connection alter;
select next value for s1;
alter sequence s1 restart= 11;
select * from s1;
connection only_alter;
--error ER_TABLEACCESS_DENIED_ERROR
select next value for s1;
alter sequence s1 restart= 11;
--error ER_TABLEACCESS_DENIED_ERROR
select * from s1;
#
# Cleanup
#
connection default;
drop database mysqltest_1;
drop user 'normal'@'%';
drop user 'read_only'@'%';
drop user 'read_write'@'%';
drop user 'alter'@'%';
drop user 'only_alter'@'%';

2
sql/sql_acl.cc
View file

@ -7603,7 +7603,7 @@ bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
sctx= t_ref->security_ctx ? t_ref->security_ctx : thd->security_ctx; sctx= t_ref->security_ctx ? t_ref->security_ctx : thd->security_ctx;
ulong orig_want_access= original_want_access; ulong orig_want_access= original_want_access;
if (t_ref->sequence) if (t_ref->sequence && !(want_access & ~(INSERT_ACL | SELECT_ACL)))
{ {
/* We want to have either SELECT or INSERT rights to sequences depending /* We want to have either SELECT or INSERT rights to sequences depending
on how they are accessed on how they are accessed