diff options
| author | unknown <anozdrin@mysql.com> | 2006-02-01 13:28:45 +0300 |
|---|---|---|
| committer | unknown <anozdrin@mysql.com> | 2006-02-01 13:28:45 +0300 |
| commit | 6aaed7330ca9af51b93974a1de99420eec7ce55d (patch) | |
| tree | b3bc2ba52c3c27d83ec06079218da2c9e8a4dc79 /mysql-test/r/trigger-compat.result | |
| parent | 55c304a17b25ed19af984bf3b923e5aaf966f74a (diff) | |
| download | mariadb-git-6aaed7330ca9af51b93974a1de99420eec7ce55d.tar.gz | |
Fix for BUG#9412: Triggers: should have trigger privilege.
Implement table-level TRIGGER privilege to control access to triggers.
Before this path global SUPER privilege was used for this purpose, that
was the big security problem.
In details, before this patch SUPER privilege was required:
- for the user at CREATE TRIGGER time to create a new trigger;
- for the user at DROP TRIGGER time to drop the existing trigger;
- for the definer at trigger activation time to execute the trigger (if the
definer loses SUPER privilege, all its triggers become unavailable);
This patch changes the behaviour in the following way:
- TRIGGER privilege on the subject table for trigger is required:
- for the user at CREATE TRIGGER time to create a new trigger;
- for the user at DROP TRIGGER time to drop the existing trigger;
- for the definer at trigger activation time to execute the trigger
(if the definer loses TRIGGER privilege on the subject table, all its
triggers on this table become unavailable).
- SUPER privilege is still required:
- for the user at CREATE TRIGGER time to explicitly set the trigger
definer to the user other than CURRENT_USER().
When the server works with database of the previous version (w/o TRIGGER
privilege), or if the database is being upgraded from the previous versions,
TRIGGER privilege is granted to whose users, who have CREATE privilege.
mysql-test/r/grant.result:
Updated the result file after adding TRIGGER privilege.
mysql-test/r/information_schema.result:
Updated the result file after adding TRIGGER privilege.
mysql-test/r/lowercase_table_grant.result:
Updated the result file after adding TRIGGER privilege.
mysql-test/r/ps.result:
Updated the result file after adding TRIGGER privilege.
mysql-test/r/sp.result:
Updated the result file after adding TRIGGER privilege.
mysql-test/r/trigger-compat.result:
Updated the result file after adding TRIGGER privilege.
mysql-test/r/trigger-grant.result:
Updated the result file after adding TRIGGER privilege.
mysql-test/t/trigger-compat.test:
Grant table-level TRIGGER privilege instead of global SUPER one.
mysql-test/t/trigger-grant.test:
1. Grant table-level TRIGGER privilege instead of global SUPER one.
2. Updated the test case to check that SUPER is required to specify
the user other than the current as a definer.
scripts/mysql_create_system_tables.sh:
Added TRIGGER privilege.
scripts/mysql_fix_privilege_tables.sql:
Added TRIGGER privilege.
sql/sql_acl.cc:
Added TRIGGER privilege.
sql/sql_acl.h:
Added TRIGGER privilege.
sql/sql_show.cc:
Added TRIGGER privilege.
sql/sql_trigger.cc:
Check TRIGGER privilege instead of SUPER.
sql/sql_yacc.yy:
Added TRIGGER privilege.
Diffstat (limited to 'mysql-test/r/trigger-compat.result')
| -rw-r--r-- | mysql-test/r/trigger-compat.result | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/mysql-test/r/trigger-compat.result b/mysql-test/r/trigger-compat.result index 7721a55449b..71682376ab5 100644 --- a/mysql-test/r/trigger-compat.result +++ b/mysql-test/r/trigger-compat.result @@ -7,8 +7,7 @@ DROP DATABASE IF EXISTS mysqltest_db1; CREATE DATABASE mysqltest_db1; CREATE USER mysqltest_dfn@localhost; CREATE USER mysqltest_inv@localhost; -GRANT SUPER ON *.* TO mysqltest_dfn@localhost; -GRANT CREATE ON mysqltest_db1.* TO mysqltest_dfn@localhost; +GRANT CREATE, TRIGGER ON mysqltest_db1.* TO mysqltest_dfn@localhost; ---> connection: wl2818_definer_con CREATE TABLE t1(num_value INT); |