MDEV-14443: check_grant mask grant_table entries with the deny mask

Previous code assumed that if any combination of rights is acceptable, that means that the presence of the grant_table entries themselves signifies that access is granted. However this is not true if the deny_mask masks all bits present in the grant_tables. This is now corrected. TODO: column level denies however are not evaluated.
author: Vicențiu Ciorbaru <cvicentiu@gmail.com> 2022-03-08 15:59:50 +0200
committer: Vicențiu Ciorbaru <cvicentiu@gmail.com> 2022-03-08 15:59:50 +0200
commit: 17417d53bde5e2e3f1132432a37aa2873568e21d (patch)
tree: c0b538561028641e437eca77c4f0fbe03139869f
parent: 9a74c307c35cbbeb706eb9a4f7a3746f14fdbb75 (diff)
download: mariadb-git-17417d53bde5e2e3f1132432a37aa2873568e21d.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 1dd17b6f28a..1fb57f97b38 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -9376,7 +9376,14 @@ bool check_grant(THD *thd, privilege_t want_access, TABLE_LIST *tables,
                                           t_ref->get_table_name(),
                                           TRUE);
 
-    if (!grant_table && !grant_table_role)
+    const bool no_grant_table_rights=
+      !grant_table ||
+      !((grant_table->privs | grant_table->cols) & ~deny_mask);
+    const bool no_grant_table_role_rights=
+      !grant_table_role ||
+      !((grant_table_role->privs | grant_table_role->cols) & ~deny_mask);
+
+    if (no_grant_table_rights && no_grant_table_role_rights)
     {
       want_access&= ~(t_ref->grant.privilege & ~deny_mask);
       goto err;					// No grants
author	Vicențiu Ciorbaru <cvicentiu@gmail.com>	2022-03-08 15:59:50 +0200
committer	Vicențiu Ciorbaru <cvicentiu@gmail.com>	2022-03-08 15:59:50 +0200
commit	17417d53bde5e2e3f1132432a37aa2873568e21d (patch)
tree	c0b538561028641e437eca77c4f0fbe03139869f
parent	9a74c307c35cbbeb706eb9a4f7a3746f14fdbb75 (diff)
download	mariadb-git-17417d53bde5e2e3f1132432a37aa2873568e21d.tar.gz