Bug#36086: SELECT * from views don't check column grants

This patch also fixes bugs 36963 and 35600.
                      
- In many places a view was confused with an anonymous derived
  table, i.e. access checking was skipped. Fixed by introducing a
  predicate to tell the difference between named and anonymous
  derived tables.
                      
- When inserting fields for "SELECT * ", there was no 
  distinction between base tables and views, where one should be
  made. View privileges are checked elsewhere.

mysql-test/include/grant_cache.inc:
  Bug#36086: Changed test case.
mysql-test/r/grant2.result:
  Bug#36086: Changed test result.
mysql-test/r/grant_cache_no_prot.result:
  Bug#36086: Changed test result.
mysql-test/r/grant_cache_ps_prot.result:
  Bug#36086: Changed test result.
mysql-test/r/view_grant.result:
  Bug#36086: Test result.
mysql-test/t/grant2.test:
  Bug#36086: Changed test case.
mysql-test/t/view_grant.test:
  Bug#36086: Test case.
sql/item.cc:
  Bug#36086: Replaced conditional with new methods.
sql/sql_acl.cc:
  Bug no 35600: 
  In mysql_table_grant:
    Replaced conditional with the new accessor method.
  
  In check_grant:
   - Changed the requirement table->derived != null to 
     checking all anonymous derived tables.
   - Use of the accessor methods for getting object and database 
     names.
      
  Bug#36086: In check_grant_all_columns:
    - Updated comment. This function is now called for views
      as well.
    - The error message should not disclose any column names 
      unless the user has privilege to see all column names.
    - Changed names of Field_iterator_table_ref methods.
sql/sql_base.cc:
  Bug no 36963: In insert_fields()
    - Commented.
    - We should call check_grant_all_columns() for views in  
      this case.        
    - Changed names of Field_iterator_table_ref methods.
    - We should not disclose column names in the error message
      when the user has no approprate privilege.
sql/sql_cache.cc:
  Bug#36086: Replaced test with new predicate method.
sql/sql_derived.cc:
  Bug#36086: commenting only. Updated and doxygenated
  comment for mysql_derived_prepare().
sql/sql_parse.cc:
  Bug no 35600: 
  - In check_single_table_access:
    Due to the bug, check_grant would raise an error for a
    SHOW CREATE TABLE command for a TEMPTABLE view. It should in
    fact not be be invoked in this case. This table privilege
    is checked already.
    There is a test case for this in information_schema_db.test.
      
  - In check_access: replaced table->derived
sql/table.cc:
  Bug#36086: 
  
  - In TABLE_LIST::set_underlying_merge(): 
    Commenting only. Doxygenated, corrected spelling,
    added.
  
  - Renamed table_name() and db_name() methods of 
    Field_iterator_table_ref in order to be consistent
    with new methods in TABLE_LIST.
sql/table.h:
  Bug#36086: 
    - Commented GRANT_INFO.
    - Added a predicate is_anonymous_derived_table() to    
      TABLE_LIST.
    - Added get_table_name() and get_db_name() to   
      TABLE_LIST in order to hide the disparate   
      representation of these properties.

1 files changed, 21 insertions, 10 deletions

diff --git a/sql/table.cc b/sql/table.cc
index 58cbde74822..40264a7cbb3 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -2993,16 +2993,27 @@ void  TABLE_LIST::calc_md5(char *buffer)
 }
 
 
-/*
-  set underlying TABLE for table place holder of VIEW
+/**
+   @brief Set underlying table for table place holder of view.
 
-  DESCRIPTION
-    Replace all views that only uses one table with the table itself.
-    This allows us to treat the view as a simple table and even update
-    it (it is a kind of optimisation)
+   @details
 
-  SYNOPSIS
-    TABLE_LIST::set_underlying_merge()
+   Replace all views that only use one table with the table itself.  This
+   allows us to treat the view as a simple table and even update it (it is a
+   kind of optimization).
+
+   @note 
+
+   This optimization is potentially dangerous as it makes views
+   masquerade as base tables: Views don't have the pointer TABLE_LIST::table
+   set to non-@c NULL.
+
+   We may have the case where a view accesses tables not normally accessible
+   in the current Security_context (only in the definer's
+   Security_context). According to the table's GRANT_INFO (TABLE::grant),
+   access is fulfilled, but this is implicitly meant in the definer's security
+   context. Hence we must never look at only a TABLE's GRANT_INFO without
+   looking at the one of the referring TABLE_LIST.
 */
 
 void TABLE_LIST::set_underlying_merge()
@@ -4082,7 +4093,7 @@ void Field_iterator_table_ref::next()
 }
 
 
-const char *Field_iterator_table_ref::table_name()
+const char *Field_iterator_table_ref::get_table_name()
 {
   if (table_ref->view)
     return table_ref->view_name.str;
@@ -4095,7 +4106,7 @@ const char *Field_iterator_table_ref::table_name()
 }
 
 
-const char *Field_iterator_table_ref::db_name()
+const char *Field_iterator_table_ref::get_db_name()
 {
   if (table_ref->view)
     return table_ref->view_db.str;