diff options
| author | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2013-10-17 20:39:23 -0700 |
|---|---|---|
| committer | Sergei Golubchik <sergii@pisem.net> | 2013-10-17 20:39:23 -0700 |
| commit | db25d8f97713e3a4ade8284c57f65c63605c5b25 (patch) | |
| tree | 1520135c114dcd1c576384dd45d6e787de5e0e63 | |
| parent | 494f0117995bcd786e481960d2c4cdd5d13f0f61 (diff) | |
| download | mariadb-git-db25d8f97713e3a4ade8284c57f65c63605c5b25.tar.gz | |
Modified set_role_var to implement both a role check in the check() function,
as well as only set privileges in the update() function.
| -rw-r--r-- | sql/set_var.cc | 10 | ||||
| -rw-r--r-- | sql/set_var.h | 6 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 26 | ||||
| -rw-r--r-- | sql/sql_acl.h | 3 |
4 files changed, 31 insertions, 14 deletions
diff --git a/sql/set_var.cc b/sql/set_var.cc index d09e2bcac77..33c360ae785 100644 --- a/sql/set_var.cc +++ b/sql/set_var.cc @@ -876,14 +876,20 @@ int set_var_password::update(THD *thd) *****************************************************************************/ int set_var_role::check(THD *thd) { - /* nothing to check */ +#ifndef NO_EMBEDDED_ACCESS_CHECKS + ulonglong access; + int status= acl_check_setrole(thd, base.str, &access); + save_result.ulonglong_value= access; + return status; +#else return 0; +#endif } int set_var_role::update(THD *thd) { #ifndef NO_EMBEDDED_ACCESS_CHECKS - return acl_setrole(thd, this->role.str); + return acl_setrole(thd, base.str, save_result.ulonglong_value); #else return 0; #endif diff --git a/sql/set_var.h b/sql/set_var.h index 75090d6e1da..11501c4212a 100644 --- a/sql/set_var.h +++ b/sql/set_var.h @@ -278,11 +278,11 @@ public: /* For SET ROLE */ -class set_var_role: public set_var_base +class set_var_role: public set_var { - LEX_STRING role; public: - set_var_role(LEX_STRING role_arg) : role(role_arg) {}; + set_var_role(LEX_STRING role_arg) : + set_var(OPT_SESSION, NULL, &role_arg, NULL){}; int check(THD *thd); int update(THD *thd); }; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 6704d28ae89..61989b5de09 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -1672,7 +1672,7 @@ bool acl_getroot(Security_context *sctx, char *user, char *host, DBUG_RETURN(res); } -bool acl_setrole(THD *thd, char *rolename) +int acl_check_setrole(THD *thd, char *rolename, ulonglong *access) { bool is_granted; int result= 0; @@ -1693,8 +1693,8 @@ bool acl_setrole(THD *thd, char *rolename) my_error(ER_INVALID_CURRENT_USER, MYF(0), rolename); result= -1; } - else - thd->security_ctx->master_access= acl_user->access; + else if (access) + *access= acl_user->access; goto end; } @@ -1728,16 +1728,26 @@ bool acl_setrole(THD *thd, char *rolename) goto end; } - /* merge the privileges */ - thd->security_ctx->master_access= acl_user->access | role->access; - /* mark the current role */ - strcpy(thd->security_ctx->priv_role, rolename); - + if (access) + { + *access = acl_user->access | role->access; + } end: mysql_mutex_unlock(&acl_cache->lock); return result; } +int acl_setrole(THD *thd, char *rolename, ulonglong access) { + /* merge the privileges */ + thd->security_ctx->master_access= access; + /* mark the current role */ + strmake(thd->security_ctx->priv_role, rolename, + sizeof(thd->security_ctx->priv_role)-1); + return 0; +} + + + static uchar* check_get_key(ACL_USER *buff, size_t *length, my_bool not_used __attribute__((unused))) { diff --git a/sql/sql_acl.h b/sql/sql_acl.h index abc5e8ac25c..0e04d8f86d6 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -382,5 +382,6 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info, bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user, bool with_grant); -bool acl_setrole(THD *thd, char *rolename); +int acl_setrole(THD *thd, char *rolename, ulonglong access); +int acl_check_setrole(THD *thd, char *rolename, ulonglong *access); #endif /* SQL_ACL_INCLUDED */ |