database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Bug#27145 EXTRA_ACL troubles

Browse Source 
The flag EXTRA_ACL is used in conjugation with our access checks, yet it is
not clear what impact this flag has.
This is a code clean up which replaces use of EXTRA_ACL with an explicit
function parameter.
The patch also fixes privilege checks for:
- SHOW CREATE TABLE: The new privilege requirement is any privilege on
  the table-level.
- CHECKSUM TABLE: Requires SELECT on the table level.
- SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level
  (just as the manual claims)
- SHOW INDEX: Requires any privilege on any column combination.


mysql-test/r/grant.result:
  * Error message now shows correct command (SHOW instead of SELECT)
mysql-test/r/grant2.result:
  * Error message now shows correct command (SHOW instead of SELECT)
mysql-test/r/grant4.result:
  * This test file tests privilege requirements for
    SHOW COLUMNS
    CREATE TABLE .. LIKE
    SHOW CREATE TABLE
    SHOW INDEX
    CHECKSUM TABLE
    SHOW CREATE VIEW
mysql-test/r/information_schema_db.result:
  * Added SELECT privilege to testdb_2 as
    SHOW CREATE VIEW now demands this privilege
    as well as SHOW VIEW.
mysql-test/r/outfile.result:
  * Changed error code
mysql-test/r/view_grant.result:
  * Additional SELECT privilege is now needed
    for SHOW CREATE VIEW
mysql-test/t/grant4.test:
  * This test file tests privilege requirements for
    SHOW COLUMNS
    CREATE TABLE .. LIKE
    SHOW CREATE TABLE
    SHOW INDEX
    CHECKSUM TABLE
    SHOW CREATE VIEW
mysql-test/t/information_schema_db.test:
  * Added SELECT privilege to testdb_2 as
    SHOW CREATE VIEW now demands this privilege
    as well as SHOW VIEW.
mysql-test/t/outfile.test:
  * Changed error code
mysql-test/t/view_grant.test:
  * Additional SELECT privilege is now needed
    for SHOW CREATE VIEW
sql/mysql_priv.h:
  * Replaced EXTRA_ACL with a parameter
sql/sp_head.cc:
  * Replaced EXTRA_ACL with a parameter
sql/sql_acl.cc:
  * Converted function documentation to doxygen and clarified some behaviors.
  * Changed value from uint to bool to better reflect its meaning.
  * Removed pointless variable orig_want_access
  * Added function has_any_table_level_privileges to help with requirements
    checks during SHOW CREATE TABLE.
sql/sql_acl.h:
  * changed signature of check_grant()
  * introduced access control function has_any_table_leevl_privileges()
sql/sql_base.cc:
  * Check_table_access has new signature
sql/sql_cache.cc:
  * Check_table_access has new signature
sql/sql_parse.cc:
  * Rewrote function documentation in doxygen comments for: check_access,
    check_table_acces, check_grant.
  * Removed EXTRA_ACL flag where it doesn't hold any meaningful purpose anymore
    and replaced it with a function parameter where any privileges on any column
    combination would satisfy the requirement.
  * Fixed privilege check for SHOW COLUMNS and SHOW INDEX
  * Modified check_table_access to gain clarity in what EXTRA_ACL actually does.
  * Modified check_access to gain clarity in what EXTRA_ACL actually does.
  * Fixed privilege check for CREATE TABLE .. LIKE .. ; It now requires SELECT
    privileges on the table.
  * Fixed privilege check for SHOW CREATE TABLE ..; It now requires any privilege
    on the table level.
sql/sql_plugin.cc:
  * check_table_access has new signature
sql/sql_prepare.cc:
  * check_table_access has new signature
sql/sql_show.cc:
  * check_table_access has new signature
sql/sql_trigger.cc:
  * check_table_access has new signature
sql/sql_update.cc:
  * check grant has new signature
sql/sql_view.cc:
  * check_table_access has new signature
This commit is contained in:
Kristofer Pettersson
2009-10-19 14:58:13 +02:00
parent 80f6940f07
commit 0659b857e7
23 changed files with 751 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
sql/sql_prepare.cc
View File

@ -1336,7 +1336,7 @@ static int mysql_test_select(Prepared_statement *stmt,
ulong privilege= lex->exchange ? SELECT_ACL | FILE_ACL : SELECT_ACL;
if (tables)
{
if (check_table_access(thd, privilege, tables, UINT_MAX, FALSE))
if (check_table_access(thd, privilege, tables, FALSE, UINT_MAX, FALSE))
goto error;
}
else if (check_access(thd, privilege, any_db,0,0,0,0))
@ -1405,7 +1405,8 @@ static bool mysql_test_do_fields(Prepared_statement *stmt,
THD *thd= stmt->thd;
DBUG_ENTER("mysql_test_do_fields");
if (tables && check_table_access(thd, SELECT_ACL, tables, UINT_MAX, FALSE))
if (tables && check_table_access(thd, SELECT_ACL, tables, FALSE,
UINT_MAX, FALSE))
DBUG_RETURN(TRUE);
if (open_normal_and_derived_tables(thd, tables, 0))
@ -1436,8 +1437,9 @@ static bool mysql_test_set_fields(Prepared_statement *stmt,
THD *thd= stmt->thd;
set_var_base *var;
if ((tables && check_table_access(thd, SELECT_ACL, tables, UINT_MAX, FALSE))
|| open_normal_and_derived_tables(thd, tables, 0))
if ((tables && check_table_access(thd, SELECT_ACL, tables, FALSE,
UINT_MAX, FALSE)) ||
open_normal_and_derived_tables(thd, tables, 0))
goto error;
while ((var= it++))
@ -1472,7 +1474,8 @@ static bool mysql_test_call_fields(Prepared_statement *stmt,
THD *thd= stmt->thd;
Item *item;
if ((tables && check_table_access(thd, SELECT_ACL, tables, UINT_MAX, FALSE)) ||
if ((tables && check_table_access(thd, SELECT_ACL, tables, FALSE,
UINT_MAX, FALSE)) ||
open_normal_and_derived_tables(thd, tables, 0))
goto err;