diff options
| -rw-r--r-- | mysql-test/r/acl_roles_show_grants.result | 4 | ||||
| -rw-r--r-- | mysql-test/t/acl_roles_show_grants.test | 1 | ||||
| -rw-r--r-- | sql/item_strfunc.cc | 11 | ||||
| -rw-r--r-- | sql/set_var.cc | 7 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 39 | ||||
| -rw-r--r-- | sql/sql_acl.h | 10 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 10 | ||||
| -rw-r--r-- | sql/sql_yacc.yy | 52 |
8 files changed, 67 insertions, 67 deletions
diff --git a/mysql-test/r/acl_roles_show_grants.result b/mysql-test/r/acl_roles_show_grants.result index 7ac434385a7..8a4934bea4e 100644 --- a/mysql-test/r/acl_roles_show_grants.result +++ b/mysql-test/r/acl_roles_show_grants.result @@ -61,9 +61,9 @@ GRANT test_role1 TO 'test_user'@'localhost' GRANT test_role2 TO 'test_user'@'localhost' show grants for test_user@localhost; Grants for test_user@localhost -GRANT test_role2 TO 'test_user'@'localhost' -GRANT test_role1 TO 'test_user'@'localhost' GRANT USAGE ON *.* TO 'test_user'@'localhost' +GRANT test_role1 TO 'test_user'@'localhost' +GRANT test_role2 TO 'test_user'@'localhost' show grants for test_role1; ERROR 42000: Access denied for user 'test_user'@'localhost' to database 'mysql' show grants for test_role2; diff --git a/mysql-test/t/acl_roles_show_grants.test b/mysql-test/t/acl_roles_show_grants.test index 5cc11be6d40..287ad445fda 100644 --- a/mysql-test/t/acl_roles_show_grants.test +++ b/mysql-test/t/acl_roles_show_grants.test @@ -40,6 +40,7 @@ select current_user(), current_role(); --sorted_result show grants; +--sorted_result show grants for test_user@localhost; --error ER_DBACCESS_DENIED_ERROR show grants for test_role1; diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 66fae0bed10..4f2c10c37ef 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -2345,9 +2345,16 @@ bool Item_func_current_role::fix_fields(THD *thd, Item **ref) Security_context *ctx= context->security_ctx ? context->security_ctx : thd->security_ctx; - const char *role= ctx->priv_role[0] ? ctx->priv_role : NONE_ROLE; + LEX_STRING role; + if (ctx->priv_role[0]) + { + role.str= ctx->priv_role; + role.length= strlen(role.str); + } + else + role= none_role; - if (str_value.copy(role, strlen(role), system_charset_info)) + if (str_value.copy(role.str, role.length, system_charset_info)) return 1; str_value.mark_as_const(); diff --git a/sql/set_var.cc b/sql/set_var.cc index 33c360ae785..4eb53dd04f4 100644 --- a/sql/set_var.cc +++ b/sql/set_var.cc @@ -841,12 +841,9 @@ int set_var_password::check(THD *thd) user->host.length= strlen(thd->security_ctx->priv_host); } else - { - user->host.str= (char *)"%"; - user->host.length= 1; - } + user->host= host_not_specified; } - if (!user->user.str) + if (user->user.str == current_user.str) { DBUG_ASSERT(thd->security_ctx->user); user->user.str= (char *) thd->security_ctx->user; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index d1146a99113..2bba65b8c9b 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -188,17 +188,19 @@ LEX_STRING *default_auth_plugin_name= &native_password_plugin_name; Constant used for differentiating specified user names and non specified usernames. Example: userA -- userA@% */ -const char *HOST_NOT_SPECIFIED= "%"; +LEX_STRING host_not_specified= { C_STRING_WITH_LEN("%") }; /* Constant used in the SET ROLE NONE command */ -const char *NONE_ROLE= "NONE"; +LEX_STRING none_role= { C_STRING_WITH_LEN("NONE") }; /* - Constants, used in the SHOW GRANTS command + Constants, used in the SHOW GRANTS command. + Their actual string values are irrelevant, they're always compared + as pointers to these string constants. */ -LEX_USER current_user; -LEX_USER current_role; -LEX_USER current_user_and_current_role; +LEX_STRING current_user= { C_STRING_WITH_LEN("*current_user") }; +LEX_STRING current_role= { C_STRING_WITH_LEN("*current_role") }; +LEX_STRING current_user_and_current_role= { C_STRING_WITH_LEN("*current_user_and_current_role") }; #ifndef NO_EMBEDDED_ACCESS_CHECKS @@ -5178,7 +5180,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) List_iterator <LEX_USER> user_list(list); granted_role= user_list++; - if (granted_role == ¤t_role) + if (granted_role->user.str == current_role.str) { rolename= thd->security_ctx->priv_role; if (!rolename[0]) @@ -5206,7 +5208,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) { handle_as_role= FALSE; /* current_role is treated slightly different */ - if (user == ¤t_role) + if (user->user.str == current_role.str) { handle_as_role= TRUE; /* current_role is NONE */ @@ -5223,7 +5225,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) continue; } /* can not grant current_role to current_role */ - if (granted_role == ¤t_role) + if (granted_role->user.str == current_role.str) { append_user(&wrong_users, thd->security_ctx->priv_role, "", TRUE); result= 1; @@ -5236,7 +5238,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list) { username= user->user.str; hostname= user->host.str; - if (hostname == HOST_NOT_SPECIFIED) + if (user->host.str == host_not_specified.str) { if ((role_as_user= find_acl_role(username))) { @@ -5388,7 +5390,7 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list, They did GRANT ... TO CURRENT_USER() IDENTIFIED BY ... ! Get the current user, and shallow-copy the new password to them! */ - if (!tmp_Str->user.str && tmp_Str->password.str) + if (tmp_Str->user.str == current_user.str && tmp_Str->password.str) Str->password= tmp_Str->password; if (replace_user_table(thd, tables[0].table, *Str, (!db ? rights : 0), revoke_grant, create_new_users, @@ -6708,23 +6710,24 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) mysql_rwlock_rdlock(&LOCK_grant); mysql_mutex_lock(&acl_cache->lock); - if (lex_user == ¤t_user || lex_user == ¤t_role || - lex_user == ¤t_user_and_current_role) + if (lex_user->user.str == current_user.str || + lex_user->user.str == current_role.str || + lex_user->user.str == current_user_and_current_role.str) { username= thd->security_ctx->priv_user; hostname= thd->security_ctx->priv_host; rolename= thd->security_ctx->priv_role; } - if (lex_user == ¤t_user) + if (lex_user->user.str == current_user.str) { print_user_entry= TRUE; } - else if (lex_user == ¤t_role) + else if (lex_user->user.str == current_role.str) { print_role_entry= TRUE; } - else if (lex_user == ¤t_user_and_current_role) + else if (lex_user->user.str == current_user_and_current_role.str) { print_user_entry= TRUE; print_role_entry= TRUE; @@ -6732,7 +6735,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) else { /* this lex_user could represent a role */ - if (lex_user->host.str == HOST_NOT_SPECIFIED && + if (lex_user->host.str == host_not_specified.str && find_acl_role(lex_user->user.str)) { rolename= lex_user->user.str; @@ -6854,7 +6857,7 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user) } else { - if (lex_user == ¤t_role) + if (lex_user->user.str == current_role.str) { mysql_mutex_unlock(&acl_cache->lock); mysql_rwlock_unlock(&LOCK_grant); diff --git a/sql/sql_acl.h b/sql/sql_acl.h index 8a2054cee90..8a6c6cba307 100644 --- a/sql/sql_acl.h +++ b/sql/sql_acl.h @@ -173,11 +173,11 @@ enum mysql_db_table_field extern const TABLE_FIELD_DEF mysql_db_table_def; extern bool mysql_user_table_is_in_short_password_format; -extern const char *HOST_NOT_SPECIFIED; -extern const char *NONE_ROLE; -extern LEX_USER current_user; -extern LEX_USER current_role; -extern LEX_USER current_user_and_current_role; +extern LEX_STRING host_not_specified; +extern LEX_STRING none_role; +extern LEX_STRING current_user; +extern LEX_STRING current_role; +extern LEX_STRING current_user_and_current_role; static inline int access_denied_error_code(int passwd_used) diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 997ba7f97ea..24b4fd0fc27 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -4004,11 +4004,11 @@ end_with_restore_list: if (grant_user->user.str && !strcmp(thd->security_ctx->priv_user, grant_user->user.str)) - grant_user= ¤t_user; + grant_user->user= current_user; - if (grant_user == ¤t_user || - grant_user == ¤t_role || - grant_user == ¤t_user_and_current_role || + if (grant_user->user.str == current_user.str || + grant_user->user.str == current_role.str || + grant_user->user.str == current_user_and_current_role.str || !check_access(thd, SELECT_ACL, "mysql", NULL, NULL, 1, 0)) { res = mysql_show_grants(thd, grant_user); @@ -7757,7 +7757,7 @@ LEX_USER *create_definer(THD *thd, LEX_STRING *user_name, LEX_STRING *host_name) LEX_USER *get_current_user(THD *thd, LEX_USER *user) { - if (user == ¤t_user) // current_user + if (user->user.str == current_user.str) // current_user return create_default_definer(thd); return user; diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy index 9ed7e8e8173..4607b49dcd9 100644 --- a/sql/sql_yacc.yy +++ b/sql/sql_yacc.yy @@ -1570,7 +1570,7 @@ bool my_yyoverflow(short **a, YYSTYPE **b, ulong *yystacksize); %type <symbol> keyword keyword_sp -%type <lex_user> user grant_user grant_role user_or_role +%type <lex_user> user grant_user grant_role user_or_role current_role %type <charset> opt_collate @@ -11766,22 +11766,16 @@ show_param: } | GRANTS { - LEX *lex=Lex; - lex->sql_command= SQLCOM_SHOW_GRANTS; - lex->grant_user= ¤t_user_and_current_role; + Lex->sql_command= SQLCOM_SHOW_GRANTS; + if (!(Lex->grant_user= (LEX_USER*)thd->alloc(sizeof(LEX_USER)))) + MYSQL_YYABORT; + Lex->grant_user->user= current_user_and_current_role; } - | GRANTS FOR_SYM user + | GRANTS FOR_SYM user_or_role { LEX *lex=Lex; lex->sql_command= SQLCOM_SHOW_GRANTS; lex->grant_user=$3; - lex->grant_user->password=null_lex_str; - } - | GRANTS FOR_SYM CURRENT_ROLE optional_braces - { - LEX *lex=Lex; - lex->sql_command= SQLCOM_SHOW_GRANTS; - lex->grant_user= ¤t_role; } | CREATE DATABASE opt_if_not_exists ident { @@ -13179,8 +13173,7 @@ user: if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user)))) MYSQL_YYABORT; $$->user = $1; - $$->host.str= (char *)HOST_NOT_SPECIFIED; - $$->host.length= 1; + $$->host= host_not_specified; $$->password= null_lex_str; $$->plugin= empty_lex_str; $$->auth= empty_lex_str; @@ -13213,19 +13206,13 @@ user: } | CURRENT_USER optional_braces { - $$= ¤t_user; + if (!($$=(LEX_USER*)thd->calloc(sizeof(LEX_USER)))) + MYSQL_YYABORT; + $$->user= current_user; } ; -user_or_role: - user - { - $$=$1; - } - | CURRENT_ROLE optional_braces - { - $$= ¤t_role; - } +user_or_role: user | current_role; /* Keyword that we allow for identifiers (except SP labels) */ keyword: @@ -14337,14 +14324,22 @@ role_list: } ; +current_role: + CURRENT_ROLE optional_braces + { + if (!($$=(LEX_USER*) thd->alloc(sizeof(LEX_USER)))) + MYSQL_YYABORT; + $$->user= current_role; + } + ; + grant_role: ident_or_text { if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user)))) MYSQL_YYABORT; $$->user = $1; - $$->host.str= (char *)HOST_NOT_SPECIFIED; - $$->host.length= 1; + $$->host= host_not_specified; $$->password= null_lex_str; $$->plugin= empty_lex_str; $$->auth= empty_lex_str; @@ -14354,10 +14349,7 @@ grant_role: system_charset_info, 0)) MYSQL_YYABORT; } - | CURRENT_ROLE optional_braces - { - $$=¤t_role; - } + | current_role ; opt_table: |