Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
bbe1d370
Commit
bbe1d370
authored
Sep 27, 2007
by
gkodinov/kgeorge@magare.gmz
Browse files
Options
Browse Files
Download
Plain Diff
Merge gkodinov@bk-internal.mysql.com:/home/bk/mysql-5.0-opt
into magare.gmz:/home/kgeorge/mysql/autopush/B30468-5.0-opt
parents
4cd18bde
fb3b1217
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
122 additions
and
47 deletions
+122
-47
mysql-test/r/grant2.result
mysql-test/r/grant2.result
+18
-0
mysql-test/t/grant2.test
mysql-test/t/grant2.test
+32
-0
sql/sql_acl.cc
sql/sql_acl.cc
+66
-35
sql/sql_acl.h
sql/sql_acl.h
+2
-3
sql/sql_base.cc
sql/sql_base.cc
+1
-4
sql/sql_insert.cc
sql/sql_insert.cc
+3
-5
No files found.
mysql-test/r/grant2.result
View file @
bbe1d370
...
...
@@ -421,4 +421,22 @@ revoke all privileges, grant option from mysqltest_1@localhost;
revoke all privileges, grant option from mysqltest_2@localhost;
drop user mysqltest_1@localhost;
drop user mysqltest_2@localhost;
CREATE DATABASE db1;
USE db1;
CREATE TABLE t1 (a INT, b INT);
INSERT INTO t1 VALUES (1,1),(2,2);
CREATE TABLE t2 (b INT, c INT);
INSERT INTO t2 VALUES (1,100),(2,200);
GRANT SELECT ON t1 TO mysqltest1@localhost;
GRANT SELECT (b) ON t2 TO mysqltest1@localhost;
USE db1;
SELECT c FROM t2;
ERROR 42000: SELECT command denied to user 'mysqltest1'@'localhost' for column 'c' in table 't2'
SELECT * FROM t2;
ERROR 42000: SELECT command denied to user 'mysqltest1'@'localhost' for column 'c' in table 't2'
SELECT * FROM t1 JOIN t2 USING (b);
ERROR 42000: SELECT command denied to user 'mysqltest1'@'localhost' for column 'c' in table 't2'
DROP TABLE db1.t1, db1.t2;
DROP USER mysqltest1@localhost;
DROP DATABASE db1;
End of 5.0 tests
mysql-test/t/grant2.test
View file @
bbe1d370
...
...
@@ -585,5 +585,37 @@ drop user mysqltest_1@localhost;
drop
user
mysqltest_2
@
localhost
;
#
# Bug #30468: column level privileges not respected when joining tables
#
CREATE
DATABASE
db1
;
USE
db1
;
CREATE
TABLE
t1
(
a
INT
,
b
INT
);
INSERT
INTO
t1
VALUES
(
1
,
1
),(
2
,
2
);
CREATE
TABLE
t2
(
b
INT
,
c
INT
);
INSERT
INTO
t2
VALUES
(
1
,
100
),(
2
,
200
);
GRANT
SELECT
ON
t1
TO
mysqltest1
@
localhost
;
GRANT
SELECT
(
b
)
ON
t2
TO
mysqltest1
@
localhost
;
connect
(
conn1
,
localhost
,
mysqltest1
,,);
connection
conn1
;
USE
db1
;
--
error
ER_COLUMNACCESS_DENIED_ERROR
SELECT
c
FROM
t2
;
--
error
ER_COLUMNACCESS_DENIED_ERROR
SELECT
*
FROM
t2
;
--
error
ER_COLUMNACCESS_DENIED_ERROR
SELECT
*
FROM
t1
JOIN
t2
USING
(
b
);
connection
default
;
disconnect
conn1
;
DROP
TABLE
db1
.
t1
,
db1
.
t2
;
DROP
USER
mysqltest1
@
localhost
;
DROP
DATABASE
db1
;
--
echo
End
of
5.0
tests
sql/sql_acl.cc
View file @
bbe1d370
...
...
@@ -3835,50 +3835,81 @@ bool check_column_grant_in_table_ref(THD *thd, TABLE_LIST * table_ref,
}
bool
check_grant_all_columns
(
THD
*
thd
,
ulong
want_access
,
GRANT_INFO
*
grant
,
const
char
*
db_name
,
const
char
*
table_name
,
Field_iterator
*
fields
)
/**
@brief check if a query can access a set of columns
@param thd the current thread
@param want_access_arg the privileges requested
@param fields an iterator over the fields of a table reference.
@return Operation status
@retval 0 Success
@retval 1 Falure
@details This function walks over the columns of a table reference
The columns may originate from different tables, depending on the kind of
table reference, e.g. join.
For each table it will retrieve the grant information and will use it
to check the required access privileges for the fields requested from it.
*/
bool
check_grant_all_columns
(
THD
*
thd
,
ulong
want_access_arg
,
Field_iterator_table_ref
*
fields
)
{
Security_context
*
sctx
=
thd
->
security_ctx
;
GRANT_TABLE
*
grant_table
;
GRANT_COLUMN
*
grant_column
;
ulong
want_access
=
want_access_arg
;
const
char
*
table_name
=
NULL
;
want_access
&=
~
grant
->
privilege
;
if
(
!
want_access
)
return
0
;
// Already checked
if
(
!
grant_option
)
goto
err2
;
if
(
grant_option
)
{
const
char
*
db_name
;
GRANT_INFO
*
grant
;
GRANT_TABLE
*
grant_table
;
rw_rdlock
(
&
LOCK_grant
);
rw_rdlock
(
&
LOCK_grant
);
/* reload table if someone has modified any grants */
for
(;
!
fields
->
end_of_fields
();
fields
->
next
())
{
const
char
*
field_name
=
fields
->
name
();
if
(
grant
->
version
!=
grant_version
)
{
grant
->
grant_table
=
table_hash_search
(
sctx
->
host
,
sctx
->
ip
,
db_name
,
sctx
->
priv_user
,
table_name
,
0
);
/* purecov: inspected */
grant
->
version
=
grant_version
;
/* purecov: inspected */
}
/* The following should always be true */
if
(
!
(
grant_table
=
grant
->
grant_table
))
goto
err
;
/* purecov: inspected */
if
(
table_name
!=
fields
->
table_name
())
{
table_name
=
fields
->
table_name
();
db_name
=
fields
->
db_name
();
grant
=
fields
->
grant
();
/* get a fresh one for each table */
want_access
=
want_access_arg
&
~
grant
->
privilege
;
if
(
want_access
)
{
/* reload table if someone has modified any grants */
if
(
grant
->
version
!=
grant_version
)
{
grant
->
grant_table
=
table_hash_search
(
sctx
->
host
,
sctx
->
ip
,
db_name
,
sctx
->
priv_user
,
table_name
,
0
);
/* purecov: inspected */
grant
->
version
=
grant_version
;
/* purecov: inspected */
}
for
(;
!
fields
->
end_of_fields
();
fields
->
next
())
{
const
char
*
field_name
=
fields
->
name
();
grant_column
=
column_hash_search
(
grant_table
,
field_name
,
(
uint
)
strlen
(
field_name
));
if
(
!
grant_column
||
(
~
grant_column
->
rights
&
want_access
))
goto
err
;
}
rw_unlock
(
&
LOCK_grant
);
return
0
;
DBUG_ASSERT
((
grant_table
=
grant
->
grant_table
)
!=
NULL
);
}
}
if
(
want_access
)
{
GRANT_COLUMN
*
grant_column
=
column_hash_search
(
grant_table
,
field_name
,
(
uint
)
strlen
(
field_name
));
if
(
!
grant_column
||
(
~
grant_column
->
rights
&
want_access
))
goto
err
;
}
}
rw_unlock
(
&
LOCK_grant
);
return
0
;
err:
rw_unlock
(
&
LOCK_grant
);
err2:
rw_unlock
(
&
LOCK_grant
);
}
else
table_name
=
fields
->
table_name
();
char
command
[
128
];
get_privilege_desc
(
command
,
sizeof
(
command
),
want_access
);
my_error
(
ER_COLUMNACCESS_DENIED_ERROR
,
MYF
(
0
),
...
...
sql/sql_acl.h
View file @
bbe1d370
...
...
@@ -205,9 +205,8 @@ bool check_grant_column (THD *thd, GRANT_INFO *grant,
const
char
*
name
,
uint
length
,
Security_context
*
sctx
);
bool
check_column_grant_in_table_ref
(
THD
*
thd
,
TABLE_LIST
*
table_ref
,
const
char
*
name
,
uint
length
);
bool
check_grant_all_columns
(
THD
*
thd
,
ulong
want_access
,
GRANT_INFO
*
grant
,
const
char
*
db_name
,
const
char
*
table_name
,
Field_iterator
*
fields
);
bool
check_grant_all_columns
(
THD
*
thd
,
ulong
want_access
,
Field_iterator_table_ref
*
fields
);
bool
check_grant_routine
(
THD
*
thd
,
ulong
want_access
,
TABLE_LIST
*
procs
,
bool
is_proc
,
bool
no_error
);
bool
check_grant_db
(
THD
*
thd
,
const
char
*
db
);
...
...
sql/sql_base.cc
View file @
bbe1d370
...
...
@@ -5414,10 +5414,7 @@ insert_fields(THD *thd, Name_resolution_context *context, const char *db_name,
!
any_privileges
)
{
field_iterator
.
set
(
tables
);
if
(
check_grant_all_columns
(
thd
,
SELECT_ACL
,
field_iterator
.
grant
(),
field_iterator
.
db_name
(),
field_iterator
.
table_name
(),
&
field_iterator
))
if
(
check_grant_all_columns
(
thd
,
SELECT_ACL
,
&
field_iterator
))
DBUG_RETURN
(
TRUE
);
}
#endif
...
...
sql/sql_insert.cc
View file @
bbe1d370
...
...
@@ -189,11 +189,9 @@ static int check_insert_fields(THD *thd, TABLE_LIST *table_list,
#ifndef NO_EMBEDDED_ACCESS_CHECKS
if
(
grant_option
)
{
Field_iterator_table
field_it
;
field_it
.
set_table
(
table
);
if
(
check_grant_all_columns
(
thd
,
INSERT_ACL
,
&
table
->
grant
,
table
->
s
->
db
,
table
->
s
->
table_name
,
&
field_it
))
Field_iterator_table_ref
field_it
;
field_it
.
set
(
table_list
);
if
(
check_grant_all_columns
(
thd
,
INSERT_ACL
,
&
field_it
))
return
-
1
;
}
#endif
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment