Sergei Golubchik f99586668a MDEV-36380 User has unauthorized access to a sequence through a view with security invoker ...

check sequence privileges in Item_func_nextval::fix_fields(),
just like column privileges are checked in Item_field::fix_fields()

remove sequence specific hacks that kinda made sequence privilege
checks works, but not in all cases. And they were too lax,
didn't requre SELECT privilege for NEXTVAL. Also INSERT privilege looks
wrong here, UPDATE would've been more appropriate, but won't
change that for compatibility reasons.

also fixes

MDEV-36413 User without any privileges to a sequence can read from it and modify it via column default

2025-04-17 17:18:55 +02:00

3.0 KiB

Raw Blame History

View Raw