diff options
Diffstat (limited to 'sql/sql_acl.cc')
| -rw-r--r-- | sql/sql_acl.cc | 65 |
1 files changed, 27 insertions, 38 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index e4e616178d0..894988c4931 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -4102,13 +4102,15 @@ static int replace_user_table(THD *thd, const User_table &user_table, table->key_info->key_length); if (table->file->ha_index_read_idx_map(table->record[0], 0, user_key, - HA_WHOLE_KEY, - HA_READ_KEY_EXACT)) + HA_WHOLE_KEY, HA_READ_KEY_EXACT)) { /* what == 'N' means revoke */ if (what == 'N') { - my_error(ER_NONEXISTING_GRANT, MYF(0), combo.user.str, combo.host.str); + if (combo.host.length) + my_error(ER_NONEXISTING_GRANT, MYF(0), combo.user.str, combo.host.str); + else + my_error(ER_INVALID_ROLE, MYF(0), combo.user.str); goto end; } /* @@ -5623,6 +5625,8 @@ static void propagate_role_grants(ACL_ROLE *role, enum PRIVS_TO_MERGE::what what, const char *db= 0, const char *name= 0) { + if (!role) + return; mysql_mutex_assert_owner(&acl_cache->lock); PRIVS_TO_MERGE data= { what, db, name }; @@ -7796,6 +7800,21 @@ err: } +static void check_grant_column_int(GRANT_TABLE *grant_table, const char *name, + uint length, ulong *want_access) +{ + if (grant_table) + { + *want_access&= ~grant_table->privs; + if (*want_access & grant_table->cols) + { + GRANT_COLUMN *grant_column= column_hash_search(grant_table, name, length); + if (grant_column) + *want_access&= ~grant_column->rights; + } + } +} + /* Check column rights in given security context @@ -7818,9 +7837,6 @@ bool check_grant_column(THD *thd, GRANT_INFO *grant, const char *db_name, const char *table_name, const char *name, uint length, Security_context *sctx) { - GRANT_TABLE *grant_table; - GRANT_TABLE *grant_table_role; - GRANT_COLUMN *grant_column; ulong want_access= grant->want_privilege & ~grant->privilege; DBUG_ENTER("check_grant_column"); DBUG_PRINT("enter", ("table: %s want_access: %lu", table_name, want_access)); @@ -7845,45 +7861,18 @@ bool check_grant_column(THD *thd, GRANT_INFO *grant, grant->version= grant_version; /* purecov: inspected */ } - grant_table= grant->grant_table_user; - grant_table_role= grant->grant_table_role; + check_grant_column_int(grant->grant_table_user, name, length, &want_access); + check_grant_column_int(grant->grant_table_role, name, length, &want_access); - if (!grant_table && !grant_table_role) - goto err; - - if (grant_table) - { - grant_column= column_hash_search(grant_table, name, length); - if (grant_column) - { - want_access&= ~grant_column->rights; - } - } - if (grant_table_role) - { - grant_column= column_hash_search(grant_table_role, name, length); - if (grant_column) - { - want_access&= ~grant_column->rights; - } - } + mysql_rwlock_unlock(&LOCK_grant); if (!want_access) - { - mysql_rwlock_unlock(&LOCK_grant); DBUG_RETURN(0); - } -err: - mysql_rwlock_unlock(&LOCK_grant); char command[128]; get_privilege_desc(command, sizeof(command), want_access); /* TODO perhaps error should print current rolename aswell */ - my_error(ER_COLUMNACCESS_DENIED_ERROR, MYF(0), - command, - sctx->priv_user, - sctx->host_or_ip, - name, - table_name); + my_error(ER_COLUMNACCESS_DENIED_ERROR, MYF(0), command, sctx->priv_user, + sctx->host_or_ip, name, table_name); DBUG_RETURN(1); } |