diff options
author | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-06-08 16:37:57 +0300 |
---|---|---|
committer | Vicențiu Ciorbaru <cvicentiu@gmail.com> | 2022-06-12 17:24:12 +0300 |
commit | db64e12775dfbbc14ad2b0d8ea78123e59b86417 (patch) | |
tree | ec198207f78908d00a0e897f3ec393661bf71e04 | |
parent | 9c7d0266fe41fae2d88ba397870d568eb55b49d5 (diff) | |
download | mariadb-git-db64e12775dfbbc14ad2b0d8ea78123e59b86417.tar.gz |
More table level denies checks <- Squash
-rw-r--r-- | mysql-test/suite/deny/show_generic.test | 10 | ||||
-rw-r--r-- | sql/sql_acl.cc | 5 |
2 files changed, 14 insertions, 1 deletions
diff --git a/mysql-test/suite/deny/show_generic.test b/mysql-test/suite/deny/show_generic.test index 5b74727c9f9..6cdc12f97f1 100644 --- a/mysql-test/suite/deny/show_generic.test +++ b/mysql-test/suite/deny/show_generic.test @@ -119,6 +119,9 @@ where user = 'foo'; --connect (con1,localhost,foo,,) show tables from some_db; +--error ER_TABLEACCESS_DENIED_ERROR +show columns from some_db.t1; +show columns from some_db.t2; disconnect con1; connection default; @@ -126,6 +129,9 @@ grant insert on some_db.* to foo; --connect (con1,localhost,foo,,) show tables from some_db; +--error ER_TABLEACCESS_DENIED_ERROR +show columns from some_db.t1; +show columns from some_db.t2; disconnect con1; connection default; @@ -134,6 +140,10 @@ deny select on some_db.t2 to foo; --connect (con1,localhost,foo,,) show tables from some_db; +--error ER_TABLEACCESS_DENIED_ERROR +show columns from some_db.t1; +--error ER_TABLEACCESS_DENIED_ERROR +show columns from some_db.t2; disconnect con1; connection default; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 531237c2d7f..f545318be97 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -3888,7 +3888,6 @@ check_table_access(THD *thd, privilege_t requirements, TABLE_LIST *tables, if (table_ref->schema_table_reformed) { - //TODO(cvicentiu) check show access needs to handle denies. if (check_show_access(thd, table_ref)) return 1; continue; @@ -4172,6 +4171,10 @@ bool check_fk_parent_table_access(THD *thd, Having privilege on any of the parent_table column is not enough so checking whether user has any of the "privileges" at table level only here. + + TODO(cvicentiu): check_some_access is horribly inefficient. Luckily here + it only checks 2 bits. Rewrite check_some_access to not run check_access + and check_grant in a loop. */ if (check_some_access(thd, privileges, &parent_table) || parent_table.grant.want_privilege) |