Fix for BUG#24040: Create View don't succed with "all privileges"

on a database. The problem was that we required not less privileges on the base tables than we have on the view. The fix is to be more flexible and allow to create such a view (necessary privileges will be checked at the runtime). mysql-test/r/view_grant.result: Updated result file. mysql-test/t/view_grant.test: Added test case for BUG#24040 (Create View don't succed with "all privileges" on a database). sql/sql_view.cc: Implement flexible privilege check for CREATE VIEW.
2025-07-29 05:21:33 +03:00 · 2007-03-22 00:34:15 +03:00
parent 3798a7d500
commit b444f80882
3 changed files with 203 additions and 40 deletions
--- a/sql/sql_view.cc
+++ b/sql/sql_view.cc
@ -492,35 +492,46 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
  /*
    Compare/check grants on view with grants of underlying tables
  */
+
+  fill_effective_table_privileges(thd, &view->grant, view->db,
+                                  view->table_name);
+
+  {
+    Item *report_item= NULL;
+    uint final_priv= VIEW_ANY_ACL;
+
  for (sl= select_lex; sl; sl= sl->next_select())
  {
    DBUG_ASSERT(view->db);                     /* Must be set in the parser */
    List_iterator_fast<Item> it(sl->item_list);
    Item *item;
-    fill_effective_table_privileges(thd, &view->grant, view->db,
-                                    view->table_name);
    while ((item= it++))
    {
-      Item_field *fld;
+        Item_field *fld= item->filed_for_view_update();
      uint priv= (get_column_grant(thd, &view->grant, view->db,
                                    view->table_name, item->name) &
                  VIEW_ANY_ACL);
-      if ((fld= item->filed_for_view_update()))
+
+        if (fld && !fld->field->table->s->tmp_table)
      {
-        /*
-          Do we have more privileges on view field then underlying table field?
-        */
-        if (!fld->field->table->s->tmp_table && (~fld->have_privileges & priv))
+          final_priv&= fld->have_privileges;
+
+          if (~fld->have_privileges & priv)
+            report_item= item;
+        }
+      }
+    }
+
+    if (!final_priv)
        {
-          /* VIEW column has more privileges */
+      DBUG_ASSERT(report_item);
+
          my_error(ER_COLUMNACCESS_DENIED_ERROR, MYF(0),
                   "create view", thd->security_ctx->priv_user,
-                   thd->security_ctx->priv_host, item->name,
+               thd->security_ctx->priv_host, report_item->name,
                   view->table_name);
          res= TRUE;
          goto err;
-        }
-      }
    }
  }
 #endif