Bug#27145 EXTRA_ACL troubles

The flag EXTRA_ACL is used in conjugation with our access checks, yet it is not clear what impact this flag has. This is a code clean up which replaces use of EXTRA_ACL with an explicit function parameter. The patch also fixes privilege checks for: - SHOW CREATE TABLE: The new privilege requirement is any privilege on the table-level. - CHECKSUM TABLE: Requires SELECT on the table level. - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level (just as the manual claims) - SHOW INDEX: Requires any privilege on any column combination. mysql-test/r/grant.result: * Error message now shows correct command (SHOW instead of SELECT) mysql-test/r/grant2.result: * Error message now shows correct command (SHOW instead of SELECT) mysql-test/r/grant4.result: * This test file tests privilege requirements for SHOW COLUMNS CREATE TABLE .. LIKE SHOW CREATE TABLE SHOW INDEX CHECKSUM TABLE SHOW CREATE VIEW mysql-test/r/information_schema_db.result: * Added SELECT privilege to testdb_2 as SHOW CREATE VIEW now demands this privilege as well as SHOW VIEW. mysql-test/r/outfile.result: * Changed error code mysql-test/r/view_grant.result: * Additional SELECT privilege is now needed for SHOW CREATE VIEW mysql-test/t/grant4.test: * This test file tests privilege requirements for SHOW COLUMNS CREATE TABLE .. LIKE SHOW CREATE TABLE SHOW INDEX CHECKSUM TABLE SHOW CREATE VIEW mysql-test/t/information_schema_db.test: * Added SELECT privilege to testdb_2 as SHOW CREATE VIEW now demands this privilege as well as SHOW VIEW. mysql-test/t/outfile.test: * Changed error code mysql-test/t/view_grant.test: * Additional SELECT privilege is now needed for SHOW CREATE VIEW sql/mysql_priv.h: * Replaced EXTRA_ACL with a parameter sql/sp_head.cc: * Replaced EXTRA_ACL with a parameter sql/sql_acl.cc: * Converted function documentation to doxygen and clarified some behaviors. * Changed value from uint to bool to better reflect its meaning. * Removed pointless variable orig_want_access * Added function has_any_table_level_privileges to help with requirements checks during SHOW CREATE TABLE. sql/sql_acl.h: * changed signature of check_grant() * introduced access control function has_any_table_leevl_privileges() sql/sql_base.cc: * Check_table_access has new signature sql/sql_cache.cc: * Check_table_access has new signature sql/sql_parse.cc: * Rewrote function documentation in doxygen comments for: check_access, check_table_acces, check_grant. * Removed EXTRA_ACL flag where it doesn't hold any meaningful purpose anymore and replaced it with a function parameter where any privileges on any column combination would satisfy the requirement. * Fixed privilege check for SHOW COLUMNS and SHOW INDEX * Modified check_table_access to gain clarity in what EXTRA_ACL actually does. * Modified check_access to gain clarity in what EXTRA_ACL actually does. * Fixed privilege check for CREATE TABLE .. LIKE .. ; It now requires SELECT privileges on the table. * Fixed privilege check for SHOW CREATE TABLE ..; It now requires any privilege on the table level. sql/sql_plugin.cc: * check_table_access has new signature sql/sql_prepare.cc: * check_table_access has new signature sql/sql_show.cc: * check_table_access has new signature sql/sql_trigger.cc: * check_table_access has new signature sql/sql_update.cc: * check grant has new signature sql/sql_view.cc: * check_table_access has new signature
author: Kristofer Pettersson <kristofer.pettersson@sun.com> 2009-10-19 14:58:13 +0200
committer: Kristofer Pettersson <kristofer.pettersson@sun.com> 2009-10-19 14:58:13 +0200
commit: 0659b857e7fe232ebfe7f48c5e0affd59dbf5862 (patch)
tree: 6cca0ec3f77cd78ef0e2d87c40077591bd4364d2 /sql/sql_acl.h
parent: 80f6940f07978bff7de4433a9bc3626b974698f0 (diff)
download: mariadb-git-0659b857e7fe232ebfe7f48c5e0affd59dbf5862.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/sql/sql_acl.h b/sql/sql_acl.h
index a8090fba2e7..fd7824dc961 100644
--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -51,7 +51,6 @@
   4. acl_init() or whatever - to define behaviour for old privilege tables
   5. sql_yacc.yy - for GRANT/REVOKE to work
 */
-#define EXTRA_ACL	(1L << 29)
 #define NO_ACCESS	(1L << 30)
 #define DB_ACLS \
 (UPDATE_ACL | SELECT_ACL | INSERT_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | \
@@ -238,7 +237,7 @@ my_bool grant_init();
 void grant_free(void);
 my_bool grant_reload(THD *thd);
 bool check_grant(THD *thd, ulong want_access, TABLE_LIST *tables,
-		 uint show_command, uint number, bool dont_print_error);
+                 bool any_combination_will_do, uint number, bool no_errors);
 bool check_grant_column (THD *thd, GRANT_INFO *grant,
 			 const char *db_name, const char *table_name,
 			 const char *name, uint length, Security_context *sctx);
@@ -269,6 +268,9 @@ bool sp_grant_privileges(THD *thd, const char *sp_db, const char *sp_name,
 bool check_routine_level_acl(THD *thd, const char *db, const char *name,
                              bool is_proc);
 bool is_acl_user(const char *host, const char *user);
+bool has_any_table_level_privileges(THD *thd, ulong required_access,
+                                    TABLE_LIST *tables);
+
 #ifdef NO_EMBEDDED_ACCESS_CHECKS
 #define check_grant(A,B,C,D,E,F) 0
 #define check_grant_db(A,B) 0
author	Kristofer Pettersson <kristofer.pettersson@sun.com>	2009-10-19 14:58:13 +0200
committer	Kristofer Pettersson <kristofer.pettersson@sun.com>	2009-10-19 14:58:13 +0200
commit	0659b857e7fe232ebfe7f48c5e0affd59dbf5862 (patch)
tree	6cca0ec3f77cd78ef0e2d87c40077591bd4364d2 /sql/sql_acl.h
parent	80f6940f07978bff7de4433a9bc3626b974698f0 (diff)
download	mariadb-git-0659b857e7fe232ebfe7f48c5e0affd59dbf5862.tar.gz