MDEV-5232 SET ROLE checks privileges differently from check_access()

use the same inconsistent priv_user@host pair for SET ROLE privilege checks, just as check_access() does
2025-07-29 05:21:33 +03:00 · 2013-11-04 13:37:39 +01:00
parent 00ba619106
commit 79d2e6c82f
3 changed files with 38 additions and 1 deletions
--- a/mysql-test/suite/roles/set_role-5232.result
+++ b/mysql-test/suite/roles/set_role-5232.result
@ -0,0 +1,15 @@
+create user ''@localhost;
+create user c;
+grant select on mysql.* to c;
+create role r1;
+grant r1 to c;
+select user(), current_user();
+user()	current_user()
+c@localhost	@localhost
+select user from mysql.user group by user;
+ERROR 42000: SELECT command denied to user ''@'localhost' for table 'user'
+set role r1;
+ERROR OP000: Invalid role specification `r1`.
+drop role r1;
+drop user c;
+drop user ''@localhost;
--- a/mysql-test/suite/roles/set_role-5232.test
+++ b/mysql-test/suite/roles/set_role-5232.test
@ -0,0 +1,20 @@
+#
+# MDEV-5232 SET ROLE checks privileges differently from check_access()
+#
+--source include/not_embedded.inc
+create user ''@localhost;
+create user c;
+grant select on mysql.* to c;
+create role r1;
+grant r1 to c;
+connect (c,localhost,c,,,,,);
+select user(), current_user();
+--error ER_TABLEACCESS_DENIED_ERROR
+select user from mysql.user group by user;
+--error ER_INVALID_ROLE
+set role r1;
+disconnect c;
+connection default;
+drop role r1;
+drop user c;
+drop user ''@localhost;
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -1871,7 +1871,9 @@ int acl_check_setrole(THD *thd, char *rolename, ulonglong *access)
      continue;

    acl_user= (ACL_USER *)acl_user_base;
-    if (acl_user->wild_eq(thd->security_ctx->user, thd->security_ctx->host))
+    /* Yes! priv_user@host. Don't ask why - that's what check_access() does. */
+    if (acl_user->wild_eq(thd->security_ctx->priv_user,
+                          thd->security_ctx->host))
    {
      is_granted= TRUE;
      break;