Merge tnurnberg@bk-internal.mysql.com:/home/bk/mysql-5.1-maint

into  mysql.com:/scratch/tnurnberg/20901/51-20901


mysql-test/r/create.result:
  Auto merged
mysql-test/t/create.test:
  Auto merged
sql/sql_parse.cc:
  Auto merged

3 files changed, 122 insertions, 1 deletions

diff --git a/mysql-test/r/create.result b/mysql-test/r/create.result
index e79a255967b..bead320751f 100644
--- a/mysql-test/r/create.result
+++ b/mysql-test/r/create.result
@@ -763,6 +763,44 @@ t2	CREATE TABLE `t2` (
 drop table t1, t2;
 create table t1(a set("a,b","c,d") not null);
 ERROR 22007: Illegal set 'a,b' value found during parsing
+create database mysqltest;
+use mysqltest;
+grant create on mysqltest.* to mysqltest@localhost;
+create table t1 (i INT);
+insert into t1 values (1);
+ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't1'
+create table t2 (i INT);
+create table t4 (i INT);
+grant select, insert on mysqltest.t2 to mysqltest@localhost;
+grant         insert on mysqltest.t4 to mysqltest@localhost;
+grant create, insert on mysqltest.t5 to mysqltest@localhost;
+grant create, insert on mysqltest.t6 to mysqltest@localhost;
+flush privileges;
+insert into t2 values (1);
+create table if not exists t1 select * from t2;
+ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't1'
+create table if not exists t3 select * from t2;
+ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't3'
+create table if not exists t4 select * from t2;
+Warnings:
+Note	1050	Table 't4' already exists
+create table if not exists t5 select * from t2;
+create table t6 select * from t2;
+create table t7 select * from t2;
+ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't7'
+create table t4 select * from t2;
+ERROR 42S01: Table 't4' already exists
+create table t1 select * from t2;
+ERROR 42000: INSERT command denied to user 'mysqltest'@'localhost' for table 't1'
+drop table t1,t2,t4,t5,t6;
+revoke create         on mysqltest.*  from mysqltest@localhost;
+revoke select, insert on mysqltest.t2 from mysqltest@localhost;
+revoke insert         on mysqltest.t4 from mysqltest@localhost;
+revoke create, insert on mysqltest.t5 from mysqltest@localhost;
+revoke create, insert on mysqltest.t6 from mysqltest@localhost;
+flush privileges;
+drop database mysqltest;
+use test;
 create table t1 (i int) engine=myisam max_rows=100000000000;
 show create table t1;
 Table	Create Table
diff --git a/mysql-test/t/create.test b/mysql-test/t/create.test
index 023e55ea418..05ca9dca26d 100644
--- a/mysql-test/t/create.test
+++ b/mysql-test/t/create.test
@@ -658,6 +658,82 @@ drop table t1, t2;
 --error 1367
 create table t1(a set("a,b","c,d") not null);
 
+#
+# Bug #20901 - CREATE privilege is enough to insert into a table
+#
+
+create database mysqltest;
+use mysqltest;
+
+grant create on mysqltest.* to mysqltest@localhost;
+create table t1 (i INT);
+
+connect (user1,localhost,mysqltest,,mysqltest);
+connection user1;
+# show we don't have INSERT
+--error 1142
+insert into t1 values (1);
+# show we have CREATE
+create table t2 (i INT);
+create table t4 (i INT);
+
+connection default;
+grant select, insert on mysqltest.t2 to mysqltest@localhost;
+grant         insert on mysqltest.t4 to mysqltest@localhost;
+# to specify ACLs for non-existent objects, must explictly |CREATE
+grant create, insert on mysqltest.t5 to mysqltest@localhost;
+grant create, insert on mysqltest.t6 to mysqltest@localhost;
+flush privileges;
+
+connection user1;
+insert into t2 values (1);
+
+
+# CREATE IF NOT EXISTS...SELECT, t1 exists, no INSERT, must fail
+--error 1142
+create table if not exists t1 select * from t2;
+
+# CREATE IF NOT EXISTS...SELECT, no t3 yet, no INSERT, must fail
+--error 1142
+create table if not exists t3 select * from t2;
+
+# CREATE IF NOT EXISTS...SELECT, t4 exists, have INSERT, must succeed
+create table if not exists t4 select * from t2;
+
+# CREATE IF NOT EXISTS...SELECT, no t5 yet, have INSERT, must succeed
+create table if not exists t5 select * from t2;
+
+
+# CREATE...SELECT, no t6 yet, have INSERT, must succeed
+create table t6 select * from t2;
+
+# CREATE...SELECT, no t7 yet, no INSERT, must fail
+--error 1142
+create table t7 select * from t2;
+
+# CREATE...SELECT, t4 exists, have INSERT, must still fail (exists)
+--error 1050
+create table t4 select * from t2;
+
+# CREATE...SELECT, t1 exists, no INSERT, must fail
+--error 1142
+create table t1 select * from t2;
+
+
+connection default;
+drop table t1,t2,t4,t5,t6;
+
+revoke create         on mysqltest.*  from mysqltest@localhost;
+revoke select, insert on mysqltest.t2 from mysqltest@localhost;
+revoke insert         on mysqltest.t4 from mysqltest@localhost;
+revoke create, insert on mysqltest.t5 from mysqltest@localhost;
+revoke create, insert on mysqltest.t6 from mysqltest@localhost;
+flush privileges;
+
+disconnect user1;
+drop database mysqltest;
+use test;
+
 # End of 4.1 tests
 
 
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 4d8beb6f67d..0c9e9705444 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -6980,8 +6980,15 @@ bool create_table_precheck(THD *thd, TABLE_LIST *tables,
   bool error= TRUE;                                 // Error message is given
   DBUG_ENTER("create_table_precheck");
 
+  /*
+    Require CREATE [TEMPORARY] privilege on new table; for
+    CREATE TABLE ... SELECT, also require INSERT.
+  */
+
   want_priv= ((lex->create_info.options & HA_LEX_CREATE_TMP_TABLE) ?
-              CREATE_TMP_ACL : CREATE_ACL);
+              CREATE_TMP_ACL : CREATE_ACL) |
+             (select_lex->item_list.elements ? INSERT_ACL : 0);
+
   if (check_access(thd, want_priv, create_table->db,
 		   &create_table->grant.privilege, 0, 0,
                    test(create_table->schema_table)) ||