Fixed two bugs in MySQL ACL.

First one is related to Bug#7905. One should not be allowed to
create new user with password without UPDATE privilege to
MySQL database. Furthermore, executing the same GRANT statement
twice would actually crash the server and corrupt privilege database.

Other bug was that one could update a column, using the existing
value as basis to calculate the new value (e.g. UPDATE t1 SET a=a+1)
without SELECT privilege to the field (a in the above example)

Fixed tests grant.pl and grant2, which were wrong.

1 files changed, 0 insertions, 11 deletions

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 3759840d3bb..c51e5e00aa1 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1642,17 +1642,6 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo,
   }
   else
   {
-    /*
-      Check that the user isn't trying to change a password for another
-      user if he doesn't have UPDATE privilege to the MySQL database
-    */
-    DBUG_ASSERT(combo.host.str != 0);
-    if (thd->user && combo.password.str &&
-        (strcmp(thd->user,combo.user.str) ||
-         my_strcasecmp(system_charset_info,
-                       combo.host.str, thd->host_or_ip)) &&
-        check_access(thd, UPDATE_ACL, "mysql",0,1,0))
-      goto end;
     old_row_exists = 1;
     store_record(table,record[1]);			// Save copy for update
     if (combo.password.str)			// If password given