diff options
| author | unknown <dlenev@brandersnatch.localdomain> | 2004-10-20 16:04:43 +0400 |
|---|---|---|
| committer | unknown <dlenev@brandersnatch.localdomain> | 2004-10-20 16:04:43 +0400 |
| commit | b88150c96edf457099922a7e0a11831160bc5a67 (patch) | |
| tree | cc5a947dac611d8db606dd3485b05f87a26b8bcd /mysql-test/r/grant2.result | |
| parent | f125849dd1fa2b7eaca3aea5f84d7d79fb201ec2 (diff) | |
| download | mariadb-git-b88150c96edf457099922a7e0a11831160bc5a67.tar.gz | |
Fix for bug #6173 "One can circumvent missing UPDATE privilege if
he has SELECT and INSERT privileges for table with primary key"
Now we set lex->duplicates= DUP_UPDATE right in parser if INSERT has
ON DUPLICATE KEY UPDATE clause, this simplifies insert_precheck()
function (this also fixes a bug) and some other code.
mysql-test/r/grant2.result:
Added test for bug #6173 "One can circumvent missing UPDATE privilege if
he has SELECT and INSERT privileges for table with primary key"
mysql-test/t/grant2.test:
Added test for bug #6173 "One can circumvent missing UPDATE privilege if
he has SELECT and INSERT privileges for table with primary key"
sql/mysql_priv.h:
insert_precheck() don't need "update" parameter any longer since
now we set lex->duplicates to DUP_UPDATE if INSERT has ON DUPLICATE
KEY UPDATE clause.
sql/sql_parse.cc:
insert_precheck() don't need "update" parameter any longer since
now we set lex->duplicates to DUP_UPDATE if INSERT has ON DUPLICATE
KEY UPDATE clause, so it can determine whenever it is needed to
require UPDATE_ACL by itself. Also calling of mysql_insert() is
simplified.
sql/sql_prepare.cc:
insert_precheck() don't need "update" parameter any longer since
now we set lex->duplicates to DUP_UPDATE if INSERT has ON DUPLICATE
KEY UPDATE clause, so it can determine whenever it is needed to
require UPDATE_ACL by itself. Also calling of mysql_insert() is
simplified.
sql/sql_yacc.yy:
It is better to set Lex->duplicates= DUP_UPDATE right in parser if we
have INSERT with ON DUPLICATE KEY UPDATE clause, rather doing this later.
Diffstat (limited to 'mysql-test/r/grant2.result')
| -rw-r--r-- | mysql-test/r/grant2.result | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/mysql-test/r/grant2.result b/mysql-test/r/grant2.result index 31e506d2679..a31fa2ac3dc 100644 --- a/mysql-test/r/grant2.result +++ b/mysql-test/r/grant2.result @@ -1,6 +1,9 @@ SET NAMES binary; +drop database if exists mysqltest; delete from mysql.user where user like 'mysqltest\_%'; delete from mysql.db where user like 'mysqltest\_%'; +delete from mysql.tables_priv where user like 'mysqltest\_%'; +delete from mysql.columns_priv where user like 'mysqltest\_%'; flush privileges; grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option; select current_user(); @@ -25,3 +28,27 @@ ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'loca delete from mysql.user where user like 'mysqltest\_%'; delete from mysql.db where user like 'mysqltest\_%'; flush privileges; +create database mysqltest; +grant INSERT, SELECT on mysqltest.* to mysqltest_1@localhost; +flush privileges; +use mysqltest; +create table t1 (id int primary key, data varchar(255)); +show grants for current_user(); +Grants for mysqltest_1@localhost +GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost' +GRANT SELECT, INSERT ON `mysqltest`.* TO 'mysqltest_1'@'localhost' +use mysqltest; +insert into t1 values (1, 'I can''t change it!'); +update t1 set data='I can change it!' where id = 1; +ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest' +insert into t1 values (1, 'XXX') on duplicate key update data= 'I can change it!'; +ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysqltest' +select * from t1; +id data +1 I can't change it! +drop table t1; +drop database mysqltest; +use test; +delete from mysql.user where user like 'mysqltest\_%'; +delete from mysql.db where user like 'mysqltest\_%'; +flush privileges; |