MDEV-9273 ERROR 1819 on grant statment for existing user

Cannot do password validation in fix_lex_user(), we don't know
there what "GRANT ... TO user" means - creating a new user with
an empty password (need validation) or granting privileges
to an existing user (no validation needed).

Move validation down into replace_user_table(). And copy into
check_change_password().

mysql-test/suite/plugins/r/simple_password_check.result

@@ -79,6 +79,7 @@ ERROR HY000: Your password does not satisfy the current policy requirements
 grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
 drop user `BarFoo1!`;
 create user foo1 identified by 'aA.12345';
+grant select on *.* to foo1;
 drop user foo1;
 set global simple_password_check_digits=3;
 set global simple_password_check_letters_same_case=3;
@@ -129,7 +130,7 @@ ERROR HY000: The MariaDB server is running with the --strict-password-validation
 create user foo2 identified with mysql_native_password using '';
 ERROR HY000: Your password does not satisfy the current policy requirements
 grant select on *.* to foo2 identified with mysql_old_password;
-ERROR HY000: Your password does not satisfy the current policy requirements
+ERROR 28000: Can't find any matching row in the user table
 update mysql.user set password='xxx' where user='foo1';
 set global strict_password_validation=0;
 set password for foo1 = '';

mysql-test/suite/plugins/t/simple_password_check.test

@@ -26,6 +26,7 @@ grant select on *.* to `BarFoo1!` identified by 'FooBar1!';
 drop user `BarFoo1!`;
 
 create user foo1 identified by 'aA.12345';
+grant select on *.* to foo1;
 drop user foo1;
 
 set global simple_password_check_digits=3;
@@ -78,7 +79,7 @@ create user foo2 identified with mysql_native_password using '111111111111111111
 grant select on *.* to foo2 identified with mysql_old_password using '2222222222222222';
 --error ER_NOT_VALID_PASSWORD
 create user foo2 identified with mysql_native_password using '';
---error ER_NOT_VALID_PASSWORD
+--error ER_PASSWORD_NO_MATCH
 grant select on *.* to foo2 identified with mysql_old_password;
 
 # direct updates are not protected

sql/sql_acl.cc

@@ -1050,9 +1050,6 @@ static bool fix_lex_user(THD *thd, LEX_USER *user)
     return true;
   }
 
-  if (validate_password(user))
-    return true;
-
   if (user->pwtext.length && !user->pwhash.length)
   {
     size_t scramble_length;
@@ -2747,7 +2744,8 @@ bool check_change_password(THD *thd, LEX_USER *user)
 {
   LEX_USER *real_user= get_current_user(thd, user);
 
-  if (fix_and_copy_user(real_user, user, thd))
+  if (fix_and_copy_user(real_user, user, thd) ||
+      validate_password(real_user))
     return true;
 
   *user= *real_user;
@@ -3461,6 +3459,10 @@ static int replace_user_table(THD *thd, TABLE *table, LEX_USER &combo,
     store_record(table,record[1]);			// Save copy for update
   }
 
+  if (!old_row_exists || combo.pwtext.length || combo.pwhash.length)
+    if (validate_password(&combo))
+      goto end;
+
   /* Update table columns with new privileges */
 
   Field **tmp_field;