SET PASSWORD bugfixes:

* work as documented, use CURRENT_USER()
* move the check for ER_PASSWORD_ANONYMOUS_USER where it can actually work

mysql-test/r/grant2.result

@@ -335,7 +335,7 @@ delete from mysql.user where user like 'mysqltest\_1';
 flush privileges;
 drop database mysqltest_1;
 set password = password("changed");
-ERROR 42000: Can't find any matching row in the user table
+ERROR 42000: You are using MariaDB as an anonymous user and anonymous users are not allowed to change passwords
 lock table mysql.user write;
 flush privileges;
 grant all on *.* to 'mysqltest_1'@'localhost';

mysql-test/r/plugin_auth.result

@@ -36,8 +36,6 @@ USER()	CURRENT_USER()
 plug@localhost	plug_dest@%
 ## test SET PASSWORD
 SET PASSWORD = PASSWORD('plug_dest');
-Warnings:
-Note	1699	SET PASSWORD has no significance for users authenticating via plugins
 ## test bad credentials
 ERROR 28000: Access denied for user 'plug'@'localhost' (using password: YES)
 ## test bad default plugin : should get CR_AUTH_PLUGIN_CANNOT_LOAD
@@ -426,8 +424,6 @@ SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 bug12818542@localhost	bug12818542_dest@localhost
 SET PASSWORD = PASSWORD('bruhaha');
-Warnings:
-Note	1699	SET PASSWORD has no significance for users authenticating via plugins
 SELECT USER(),CURRENT_USER();
 USER()	CURRENT_USER()
 bug12818542@localhost	bug12818542_dest@localhost

mysql-test/t/grant2.test

@@ -405,7 +405,7 @@ drop database mysqltest_1;
 # But anonymous users can't change their password
 connect (n5,localhost,test,,test,$MASTER_MYPORT,$MASTER_MYSOCK);
 connection n5;
---error ER_PASSWORD_NO_MATCH
+--error ER_PASSWORD_ANONYMOUS_USER
 set password = password("changed");
 disconnect n5;
 connection default;

sql/set_var.cc

@@ -832,23 +832,7 @@ int set_var_user::update(THD *thd)
 int set_var_password::check(THD *thd)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  if (!user->host.str)
+  user= get_current_user(thd, user);
-  {
-    DBUG_ASSERT(thd->security_ctx->priv_host);
-    if (*thd->security_ctx->priv_host != 0)
-    {
-      user->host.str= (char *) thd->security_ctx->priv_host;
-      user->host.length= strlen(thd->security_ctx->priv_host);
-    }
-    else
-      user->host= host_not_specified;
-  }
-  if (user->user.str == current_user.str)
-  {
-    DBUG_ASSERT(thd->security_ctx->user);
-    user->user.str= (char *) thd->security_ctx->user;
-    user->user.length= strlen(thd->security_ctx->user);
-  }
   /* Returns 1 as the function sends error to client */
   return check_change_password(thd, user->host.str, user->user.str,
                                password, strlen(password)) ? 1 : 0;

sql/sql_acl.cc

@@ -2883,20 +2883,25 @@ int check_change_password(THD *thd, const char *host, const char *user,
     my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--skip-grant-tables");
     return(1);
   }
+  if (!thd->slave_thread && !thd->security_ctx->priv_user[0])
+  {
+    my_message(ER_PASSWORD_ANONYMOUS_USER, ER(ER_PASSWORD_ANONYMOUS_USER),
+               MYF(0));
+    return(1);
+  }
+  if (!host) // Role
+  {
+    my_error(ER_PASSWORD_NO_MATCH, MYF(0));
+    return 1;
+  }
   if (!thd->slave_thread &&
-      (strcmp(thd->security_ctx->user, user) ||
+      (strcmp(thd->security_ctx->priv_user, user) ||
        my_strcasecmp(system_charset_info, host,
                      thd->security_ctx->priv_host)))
   {
     if (check_access(thd, UPDATE_ACL, "mysql", NULL, NULL, 1, 0))
       return(1);
   }
-  if (!thd->slave_thread && !thd->security_ctx->user[0])
-  {
-    my_message(ER_PASSWORD_ANONYMOUS_USER, ER(ER_PASSWORD_ANONYMOUS_USER),
-               MYF(0));
-    return(1);
-  }
   size_t len= strlen(new_password);
   if (len && len != SCRAMBLED_PASSWORD_CHAR_LENGTH &&
       len != SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
@@ -3037,7 +3042,7 @@ end:
 
   RETURN
    FALSE  user not fond
-   TRUE   there are such user
+   TRUE   there is such user
 */
 
 bool is_acl_user(const char *host, const char *user)

sql/sql_parse.cc

@@ -3791,38 +3791,54 @@ end_with_restore_list:
 
     if (thd->security_ctx->user)              // If not replication
     {
-      LEX_USER *user, *tmp_user;
+      LEX_USER *user;
       bool first_user= TRUE;
 
       List_iterator <LEX_USER> user_list(lex->users_list);
-      while ((tmp_user= user_list++))
+      while ((user= user_list++))
       {
-        if (!(user= get_current_user(thd, tmp_user)))
-          goto error;
         if (specialflag & SPECIAL_NO_RESOLVE &&
             hostname_requires_resolving(user->host.str))
           push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN,
                               ER_WARN_HOSTNAME_WONT_WORK,
                               ER(ER_WARN_HOSTNAME_WONT_WORK));
-        // Are we trying to change a password of another user
-        DBUG_ASSERT(user->host.str != 0);
 
         /*
           GRANT/REVOKE PROXY has the target user as a first entry in the list. 
          */
         if (lex->type == TYPE_ENUM_PROXY && first_user)
         {
+          if (!(user= get_current_user(thd, user)) || !user->host.str)
+            goto error;
+
           first_user= FALSE;
           if (acl_check_proxy_grant_access (thd, user->host.str, user->user.str,
                                         lex->grant & GRANT_ACL))
             goto error;
         } 
-        else if (is_acl_user(user->host.str, user->user.str) &&
+        else if (user->password.str)
-                 user->password.str &&
+        {
-                 check_change_password (thd, user->host.str, user->user.str, 
+          // Are we trying to change a password of another user?
-                                        user->password.str, 
+          const char *hostname= user->host.str, *username=user->user.str;
-                                        user->password.length))
+          bool userok;
-          goto error;
+          if (username == current_user.str)
+          {
+            username= thd->security_ctx->priv_user;
+            hostname= thd->security_ctx->priv_host;
+            userok= true;
+          }
+          else
+          {
+            if (!hostname)
+              hostname= host_not_specified.str;
+            userok= is_acl_user(hostname, username);
+          }
+
+          if (userok && check_change_password (thd, hostname, username, 
+                                               user->password.str, 
+                                               user->password.length))
+            goto error;
+        }
       }
     }
     if (first_table)

sql/sql_yacc.yy

@@ -13884,10 +13884,9 @@ option_value:
               my_error(ER_SP_BAD_VAR_SHADOW, MYF(0), pw.str);
               MYSQL_YYABORT;
             }
-            if (!(user=(LEX_USER*) thd->alloc(sizeof(LEX_USER))))
+            if (!(user=(LEX_USER*) thd->calloc(sizeof(LEX_USER))))
               MYSQL_YYABORT;
-            user->host=null_lex_str;
+            user->user= current_user;
-            user->user.str=thd->security_ctx->user;
             set_var_password *var= new set_var_password(user, $3);
             if (var == NULL)
               MYSQL_YYABORT;