mirror of
https://github.com/MariaDB/server.git
synced 2025-01-19 05:22:25 +01:00
8f395ebbfa
- BUG#15166: Wrong update permissions required to execute triggers - BUG#15196: Wrong select permission required to execute triggers The idea of the fix is to check necessary privileges in Item_trigger_field::fix_fields(), instead of having "special variables" technique. To achieve this, we should pass to an Item_trigger_field instance a flag, which will indicate the usage/access type of this trigger variable. mysql-test/r/trigger-grant.result: Update the result file. mysql-test/t/trigger-grant.test: Add test cases for BUG#15166 and BUG#15196 sql/item.cc: Item_trigger_field: check appropriate (SELECT/UPDATE) privilege in fix_fields(). sql/item.h: Add a flag to specify access type for trigger field. sql/sql_trigger.cc: "Special variable" technique of checking privileges for NEW/OLD variables was replaced by checking table- and column-level privileges in Item_trigger_field::fix_fields(). sql/sql_trigger.h: "Special variable" technique of checking privileges for NEW/OLD variables was replaced by checking table- and column-level privileges in Item_trigger_field::fix_fields(). sql/sql_yacc.yy: Specify access type for trigger fields.
312 lines
10 KiB
Text
312 lines
10 KiB
Text
DELETE FROM mysql.user WHERE User LIKE 'mysqltest_%';
|
|
DELETE FROM mysql.db WHERE User LIKE 'mysqltest_%';
|
|
DELETE FROM mysql.tables_priv WHERE User LIKE 'mysqltest_%';
|
|
DELETE FROM mysql.columns_priv WHERE User LIKE 'mysqltest_%';
|
|
FLUSH PRIVILEGES;
|
|
DROP DATABASE IF EXISTS mysqltest_db1;
|
|
CREATE DATABASE mysqltest_db1;
|
|
CREATE USER mysqltest_dfn@localhost;
|
|
CREATE USER mysqltest_inv@localhost;
|
|
GRANT SUPER ON *.* TO mysqltest_dfn@localhost;
|
|
GRANT CREATE ON mysqltest_db1.* TO mysqltest_dfn@localhost;
|
|
|
|
---> connection: wl2818_definer_con
|
|
CREATE TABLE t1(num_value INT);
|
|
CREATE TABLE t2(user_str TEXT);
|
|
CREATE TRIGGER trg1 AFTER INSERT ON t1
|
|
FOR EACH ROW
|
|
INSERT INTO t2 VALUES(CURRENT_USER());
|
|
|
|
---> connection: default
|
|
GRANT ALL PRIVILEGES ON mysqltest_db1.t1 TO mysqltest_dfn@localhost;
|
|
GRANT ALL PRIVILEGES ON mysqltest_db1.t2 TO mysqltest_dfn@localhost;
|
|
GRANT ALL PRIVILEGES ON mysqltest_db1.t1
|
|
TO 'mysqltest_inv'@localhost;
|
|
GRANT SELECT ON mysqltest_db1.t2
|
|
TO 'mysqltest_inv'@localhost;
|
|
|
|
---> connection: wl2818_definer_con
|
|
use mysqltest_db1;
|
|
INSERT INTO t1 VALUES(1);
|
|
SELECT * FROM t1;
|
|
num_value
|
|
1
|
|
SELECT * FROM t2;
|
|
user_str
|
|
mysqltest_dfn@localhost
|
|
|
|
---> connection: wl2818_invoker_con
|
|
use mysqltest_db1;
|
|
INSERT INTO t1 VALUES(2);
|
|
SELECT * FROM t1;
|
|
num_value
|
|
1
|
|
2
|
|
SELECT * FROM t2;
|
|
user_str
|
|
mysqltest_dfn@localhost
|
|
mysqltest_dfn@localhost
|
|
|
|
---> connection: default
|
|
use mysqltest_db1;
|
|
REVOKE INSERT ON mysqltest_db1.t2 FROM mysqltest_dfn@localhost;
|
|
|
|
---> connection: wl2818_invoker_con
|
|
use mysqltest_db1;
|
|
INSERT INTO t1 VALUES(3);
|
|
ERROR 42000: INSERT command denied to user 'mysqltest_dfn'@'localhost' for table 't2'
|
|
SELECT * FROM t1;
|
|
num_value
|
|
1
|
|
2
|
|
3
|
|
SELECT * FROM t2;
|
|
user_str
|
|
mysqltest_dfn@localhost
|
|
mysqltest_dfn@localhost
|
|
|
|
---> connection: wl2818_definer_con
|
|
use mysqltest_db1;
|
|
DROP TRIGGER trg1;
|
|
CREATE DEFINER='mysqltest_inv'@'localhost'
|
|
TRIGGER trg1 BEFORE INSERT ON t1
|
|
FOR EACH ROW
|
|
SET @new_sum = 0;
|
|
CREATE DEFINER='mysqltest_nonexs'@'localhost'
|
|
TRIGGER trg2 AFTER INSERT ON t1
|
|
FOR EACH ROW
|
|
SET @new_sum = 0;
|
|
Warnings:
|
|
Note 1449 There is no 'mysqltest_nonexs'@'localhost' registered
|
|
INSERT INTO t1 VALUES(6);
|
|
ERROR 42000: Access denied; you need the SUPER privilege for this operation
|
|
SHOW TRIGGERS;
|
|
Trigger Event Table Statement Timing Created sql_mode Definer
|
|
trg1 INSERT t1 SET @new_sum = 0 BEFORE NULL mysqltest_inv@localhost
|
|
trg2 INSERT t1 SET @new_sum = 0 AFTER NULL mysqltest_nonexs@localhost
|
|
DROP TRIGGER trg1;
|
|
DROP TRIGGER trg2;
|
|
CREATE TRIGGER trg1 BEFORE INSERT ON t1
|
|
FOR EACH ROW
|
|
SET @a = 1;
|
|
CREATE TRIGGER trg2 AFTER INSERT ON t1
|
|
FOR EACH ROW
|
|
SET @a = 2;
|
|
CREATE TRIGGER trg3 BEFORE UPDATE ON t1
|
|
FOR EACH ROW
|
|
SET @a = 3;
|
|
CREATE TRIGGER trg4 AFTER UPDATE ON t1
|
|
FOR EACH ROW
|
|
SET @a = 4;
|
|
CREATE TRIGGER trg5 BEFORE DELETE ON t1
|
|
FOR EACH ROW
|
|
SET @a = 5;
|
|
|
|
SELECT trigger_name, definer FROM INFORMATION_SCHEMA.TRIGGERS ORDER BY trigger_name;
|
|
trigger_name definer
|
|
trg1
|
|
trg2 @
|
|
trg3 @abc@def@@
|
|
trg4 @hostname
|
|
trg5 @abcdef@@@hostname
|
|
Warnings:
|
|
Warning 1454 No definer attribute for trigger 'mysqltest_db1'.'trg1'. The trigger will be activated under the authorization of the invoker, which may have insufficient privileges. Please recreate the trigger.
|
|
|
|
SELECT * FROM INFORMATION_SCHEMA.TRIGGERS ORDER BY trigger_name;
|
|
TRIGGER_CATALOG TRIGGER_SCHEMA TRIGGER_NAME EVENT_MANIPULATION EVENT_OBJECT_CATALOG EVENT_OBJECT_SCHEMA EVENT_OBJECT_TABLE ACTION_ORDER ACTION_CONDITION ACTION_STATEMENT ACTION_ORIENTATION ACTION_TIMING ACTION_REFERENCE_OLD_TABLE ACTION_REFERENCE_NEW_TABLE ACTION_REFERENCE_OLD_ROW ACTION_REFERENCE_NEW_ROW CREATED SQL_MODE DEFINER
|
|
NULL mysqltest_db1 trg1 INSERT NULL mysqltest_db1 t1 0 NULL SET @a = 1 ROW BEFORE NULL NULL OLD NEW NULL
|
|
NULL mysqltest_db1 trg2 INSERT NULL mysqltest_db1 t1 0 NULL SET @a = 2 ROW AFTER NULL NULL OLD NEW NULL @
|
|
NULL mysqltest_db1 trg3 UPDATE NULL mysqltest_db1 t1 0 NULL SET @a = 3 ROW BEFORE NULL NULL OLD NEW NULL @abc@def@@
|
|
NULL mysqltest_db1 trg4 UPDATE NULL mysqltest_db1 t1 0 NULL SET @a = 4 ROW AFTER NULL NULL OLD NEW NULL @hostname
|
|
NULL mysqltest_db1 trg5 DELETE NULL mysqltest_db1 t1 0 NULL SET @a = 5 ROW BEFORE NULL NULL OLD NEW NULL @abcdef@@@hostname
|
|
|
|
---> connection: default
|
|
DROP USER mysqltest_dfn@localhost;
|
|
DROP USER mysqltest_inv@localhost;
|
|
DROP DATABASE mysqltest_db1;
|
|
Warnings:
|
|
Warning 1454 No definer attribute for trigger 'mysqltest_db1'.'trg1'. The trigger will be activated under the authorization of the invoker, which may have insufficient privileges. Please recreate the trigger.
|
|
DELETE FROM mysql.user WHERE User LIKE 'mysqltest_%';
|
|
DELETE FROM mysql.db WHERE User LIKE 'mysqltest_%';
|
|
DELETE FROM mysql.tables_priv WHERE User LIKE 'mysqltest_%';
|
|
DELETE FROM mysql.columns_priv WHERE User LIKE 'mysqltest_%';
|
|
FLUSH PRIVILEGES;
|
|
DROP DATABASE IF EXISTS mysqltest_db1;
|
|
CREATE DATABASE mysqltest_db1;
|
|
use mysqltest_db1;
|
|
CREATE TABLE t1(col CHAR(20));
|
|
CREATE TABLE t2(col CHAR(20));
|
|
CREATE TABLE t3(col CHAR(20));
|
|
CREATE TABLE t4(col CHAR(20));
|
|
CREATE USER mysqltest_u1@localhost;
|
|
REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_u1@localhost;
|
|
GRANT SUPER ON *.* TO mysqltest_u1@localhost;
|
|
GRANT SELECT ON mysqltest_db1.t1 TO mysqltest_u1@localhost;
|
|
SET @mysqltest_var = NULL;
|
|
|
|
---> connection: default
|
|
use mysqltest_db1;
|
|
REVOKE SELECT ON mysqltest_db1.t1 FROM mysqltest_u1@localhost;
|
|
GRANT DELETE ON mysqltest_db1.* TO mysqltest_u1@localhost;
|
|
SHOW GRANTS FOR mysqltest_u1@localhost;
|
|
Grants for mysqltest_u1@localhost
|
|
GRANT SUPER ON *.* TO 'mysqltest_u1'@'localhost'
|
|
GRANT DELETE ON `mysqltest_db1`.* TO 'mysqltest_u1'@'localhost'
|
|
|
|
---> connection: bug15166_u1_con
|
|
use mysqltest_db1;
|
|
CREATE TRIGGER t1_trg_after_delete AFTER DELETE ON t1
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = 'Hello, world!';
|
|
|
|
---> connection: default
|
|
use mysqltest_db1;
|
|
GRANT UPDATE ON mysqltest_db1.t1 TO mysqltest_u1@localhost;
|
|
GRANT UPDATE ON mysqltest_db1.t2 TO mysqltest_u1@localhost;
|
|
GRANT UPDATE(col) ON mysqltest_db1.t3 TO mysqltest_u1@localhost;
|
|
GRANT UPDATE(col) ON mysqltest_db1.t4 TO mysqltest_u1@localhost;
|
|
|
|
---> connection: bug15166_u1_con
|
|
use mysqltest_db1;
|
|
CREATE TRIGGER t1_trg_err_1 BEFORE INSERT ON t1
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = NEW.col;
|
|
DROP TRIGGER t1_trg_err_1;
|
|
CREATE TRIGGER t1_trg_err_2 BEFORE DELETE ON t1
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = OLD.col;
|
|
DROP TRIGGER t1_trg_err_2;
|
|
CREATE TRIGGER t2_trg_before_insert BEFORE INSERT ON t2
|
|
FOR EACH ROW
|
|
SET NEW.col = 't2_trg_before_insert';
|
|
CREATE TRIGGER t3_trg_err_1 BEFORE INSERT ON t3
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = NEW.col;
|
|
DROP TRIGGER t3_trg_err_1;
|
|
CREATE TRIGGER t3_trg_err_2 BEFORE DELETE ON t3
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = OLD.col;
|
|
DROP TRIGGER t3_trg_err_2;
|
|
CREATE TRIGGER t4_trg_before_insert BEFORE INSERT ON t4
|
|
FOR EACH ROW
|
|
SET NEW.col = 't4_trg_before_insert';
|
|
|
|
---> connection: default
|
|
use mysqltest_db1;
|
|
REVOKE UPDATE ON mysqltest_db1.t1 FROM mysqltest_u1@localhost;
|
|
REVOKE UPDATE ON mysqltest_db1.t2 FROM mysqltest_u1@localhost;
|
|
GRANT SELECT ON mysqltest_db1.t1 TO mysqltest_u1@localhost;
|
|
GRANT SELECT ON mysqltest_db1.t2 TO mysqltest_u1@localhost;
|
|
REVOKE UPDATE(col) ON mysqltest_db1.t3 FROM mysqltest_u1@localhost;
|
|
REVOKE UPDATE(col) ON mysqltest_db1.t4 FROM mysqltest_u1@localhost;
|
|
GRANT SELECT(col) on mysqltest_db1.t3 TO mysqltest_u1@localhost;
|
|
GRANT SELECT(col) on mysqltest_db1.t4 TO mysqltest_u1@localhost;
|
|
|
|
---> connection: bug15166_u1_con
|
|
use mysqltest_db1;
|
|
CREATE TRIGGER t1_trg_after_insert AFTER INSERT ON t1
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = NEW.col;
|
|
CREATE TRIGGER t1_trg_after_update AFTER UPDATE ON t1
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = OLD.col;
|
|
CREATE TRIGGER t2_trg_err_1 BEFORE UPDATE ON t2
|
|
FOR EACH ROW
|
|
SET NEW.col = 't2_trg_err_1';
|
|
DROP TRIGGER t2_trg_err_1;
|
|
CREATE TRIGGER t2_trg_err_2 BEFORE UPDATE ON t2
|
|
FOR EACH ROW
|
|
SET NEW.col = CONCAT(OLD.col, '(updated)');
|
|
DROP TRIGGER t2_trg_err_2;
|
|
CREATE TRIGGER t3_trg_after_insert AFTER INSERT ON t3
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = NEW.col;
|
|
CREATE TRIGGER t3_trg_after_update AFTER UPDATE ON t3
|
|
FOR EACH ROW
|
|
SET @mysqltest_var = OLD.col;
|
|
CREATE TRIGGER t4_trg_err_1 BEFORE UPDATE ON t4
|
|
FOR EACH ROW
|
|
SET NEW.col = 't4_trg_err_1';
|
|
DROP TRIGGER t4_trg_err_1;
|
|
CREATE TRIGGER t4_trg_err_2 BEFORE UPDATE ON t4
|
|
FOR EACH ROW
|
|
SET NEW.col = CONCAT(OLD.col, '(updated)');
|
|
DROP TRIGGER t4_trg_err_2;
|
|
|
|
---> connection: default
|
|
use mysqltest_db1;
|
|
REVOKE SELECT ON mysqltest_db1.t1 FROM mysqltest_u1@localhost;
|
|
REVOKE SELECT ON mysqltest_db1.t2 FROM mysqltest_u1@localhost;
|
|
GRANT UPDATE ON mysqltest_db1.t1 TO mysqltest_u1@localhost;
|
|
GRANT UPDATE ON mysqltest_db1.t2 TO mysqltest_u1@localhost;
|
|
REVOKE SELECT(col) ON mysqltest_db1.t3 FROM mysqltest_u1@localhost;
|
|
REVOKE SELECT(col) ON mysqltest_db1.t4 FROM mysqltest_u1@localhost;
|
|
GRANT UPDATE(col) ON mysqltest_db1.t3 TO mysqltest_u1@localhost;
|
|
GRANT UPDATE(col) ON mysqltest_db1.t4 TO mysqltest_u1@localhost;
|
|
INSERT INTO t1 VALUES('line1');
|
|
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for column 'col' in table 't1'
|
|
SELECT * FROM t1;
|
|
col
|
|
line1
|
|
SELECT @mysqltest_var;
|
|
@mysqltest_var
|
|
NULL
|
|
INSERT INTO t2 VALUES('line2');
|
|
SELECT * FROM t2;
|
|
col
|
|
t2_trg_before_insert
|
|
INSERT INTO t3 VALUES('t3_line1');
|
|
ERROR 42000: SELECT command denied to user 'mysqltest_u1'@'localhost' for column 'col' in table 't3'
|
|
SELECT * FROM t3;
|
|
col
|
|
t3_line1
|
|
SELECT @mysqltest_var;
|
|
@mysqltest_var
|
|
NULL
|
|
INSERT INTO t4 VALUES('t4_line2');
|
|
SELECT * FROM t4;
|
|
col
|
|
t4_trg_before_insert
|
|
|
|
---> connection: default
|
|
use mysqltest_db1;
|
|
REVOKE UPDATE ON mysqltest_db1.t1 FROM mysqltest_u1@localhost;
|
|
REVOKE UPDATE ON mysqltest_db1.t2 FROM mysqltest_u1@localhost;
|
|
GRANT SELECT ON mysqltest_db1.t1 TO mysqltest_u1@localhost;
|
|
GRANT SELECT ON mysqltest_db1.t2 TO mysqltest_u1@localhost;
|
|
REVOKE UPDATE(col) ON mysqltest_db1.t3 FROM mysqltest_u1@localhost;
|
|
REVOKE UPDATE(col) ON mysqltest_db1.t4 FROM mysqltest_u1@localhost;
|
|
GRANT SELECT(col) ON mysqltest_db1.t3 TO mysqltest_u1@localhost;
|
|
GRANT SELECT(col) ON mysqltest_db1.t4 TO mysqltest_u1@localhost;
|
|
INSERT INTO t1 VALUES('line3');
|
|
SELECT * FROM t1;
|
|
col
|
|
line1
|
|
line3
|
|
SELECT @mysqltest_var;
|
|
@mysqltest_var
|
|
line3
|
|
INSERT INTO t2 VALUES('line4');
|
|
ERROR 42000: UPDATE command denied to user 'mysqltest_u1'@'localhost' for column 'col' in table 't2'
|
|
SELECT * FROM t2;
|
|
col
|
|
t2_trg_before_insert
|
|
INSERT INTO t3 VALUES('t3_line2');
|
|
SELECT * FROM t3;
|
|
col
|
|
t3_line1
|
|
t3_line2
|
|
SELECT @mysqltest_var;
|
|
@mysqltest_var
|
|
t3_line2
|
|
INSERT INTO t4 VALUES('t4_line2');
|
|
ERROR 42000: UPDATE command denied to user 'mysqltest_u1'@'localhost' for column 'col' in table 't4'
|
|
SELECT * FROM t4;
|
|
col
|
|
t4_trg_before_insert
|
|
DELETE FROM t1;
|
|
SELECT @mysqltest_var;
|
|
@mysqltest_var
|
|
Hello, world!
|
|
DROP USER mysqltest_u1@localhost;
|
|
DROP DATABASE mysqltest_db1;
|