Bug #20901: CREATE privilege is enough to insert into a table

CREATE TABLE IF NOT EXISTS ... SELECT let you insert into an existing table as long as you had the CREATE privilege. CREATE ... SELECT variants now always require INSERT privilege on target table. mysql-test/r/create.result: Show that CREATE...SELECT requires INSERT privilege on target table. mysql-test/r/grant.result: Sort output for a defined state. mysql-test/t/create.test: Show that CREATE...SELECT requires INSERT privilege on target table. mysql-test/t/grant.test: Sort output for a defined state. sql/sql_parse.cc: Require INSERT privilege on target table for CREATE ... SELECT.
2025-07-27 18:02:13 +03:00 · 2007-10-23 06:54:31 +02:00
parent 77f287556b
commit f9d068bc09
5 changed files with 126 additions and 5 deletions
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -5832,8 +5832,15 @@ int create_table_precheck(THD *thd, TABLE_LIST *tables,
  int error= 1;                                 // Error message is given
  DBUG_ENTER("create_table_precheck");

+  /*
+    Require CREATE [TEMPORARY] privilege on new table; for
+    CREATE TABLE ... SELECT, also require INSERT.
+  */
+
  want_priv= ((lex->create_info.options & HA_LEX_CREATE_TMP_TABLE) ?
-              CREATE_TMP_ACL : CREATE_ACL);
+              CREATE_TMP_ACL : CREATE_ACL) |
+             (select_lex->item_list.elements ? INSERT_ACL : 0);
+
  if (check_access(thd, want_priv, create_table->db,
 		   &create_table->grant.privilege, 0, 0) ||
      check_merge_table_access(thd, create_table->db,