3 files changed, 38 insertions, 1 deletions

diff --git a/mysql-test/suite/roles/set_role-5232.result b/mysql-test/suite/roles/set_role-5232.result
new file mode 100644
index 00000000000..888a5f10c3d
--- /dev/null
+++ b/mysql-test/suite/roles/set_role-5232.result
@@ -0,0 +1,15 @@
+create user ''@localhost;
+create user c;
+grant select on mysql.* to c;
+create role r1;
+grant r1 to c;
+select user(), current_user();
+user()	current_user()
+c@localhost	@localhost
+select user from mysql.user group by user;
+ERROR 42000: SELECT command denied to user ''@'localhost' for table 'user'
+set role r1;
+ERROR OP000: Invalid role specification `r1`.
+drop role r1;
+drop user c;
+drop user ''@localhost;
diff --git a/mysql-test/suite/roles/set_role-5232.test b/mysql-test/suite/roles/set_role-5232.test
new file mode 100644
index 00000000000..c6cb3d925a4
--- /dev/null
+++ b/mysql-test/suite/roles/set_role-5232.test
@@ -0,0 +1,20 @@
+#
+# MDEV-5232 SET ROLE checks privileges differently from check_access()
+#
+--source include/not_embedded.inc
+create user ''@localhost;
+create user c;
+grant select on mysql.* to c;
+create role r1;
+grant r1 to c;
+connect (c,localhost,c,,,,,);
+select user(), current_user();
+--error ER_TABLEACCESS_DENIED_ERROR
+select user from mysql.user group by user;
+--error ER_INVALID_ROLE
+set role r1;
+disconnect c;
+connection default;
+drop role r1;
+drop user c;
+drop user ''@localhost;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index adc073f7117..879316f1da3 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1871,7 +1871,9 @@ int acl_check_setrole(THD *thd, char *rolename, ulonglong *access)
       continue;
 
     acl_user= (ACL_USER *)acl_user_base;
-    if (acl_user->wild_eq(thd->security_ctx->user, thd->security_ctx->host))
+    /* Yes! priv_user@host. Don't ask why - that's what check_access() does. */
+    if (acl_user->wild_eq(thd->security_ctx->priv_user,
+                          thd->security_ctx->host))
     {
       is_granted= TRUE;
       break;