Merge ahristov@bk-internal.mysql.com:/home/bk/mysql-5.1-runtime

into lmy004.:/work/mysql-5.1-runtime-bug18897

mysql-test/r/events_bugs.result

@@ -178,4 +178,27 @@ drop procedure ee_16407_6_pendant;
 set global event_scheduler= 2;
 drop table events_smode_test;
 set sql_mode=@old_sql_mode;
+set global event_scheduler=2;
+delete from mysql.user where User like 'mysqltest_%';
+delete from mysql.db where User like 'mysqltest_%';
+flush privileges;
+drop database if exists mysqltest_db1;
+create user mysqltest_user1@localhost;
+create database mysqltest_db1;
+grant event on events_test.* to mysqltest_user1@localhost;
+create event mysqltest_user1 on schedule every 10 second do select 42;
+alter event mysqltest_user1 rename to mysqltest_db1.mysqltest_user1;
+ERROR 42000: Access denied for user 'mysqltest_user1'@'localhost' to database 'mysqltest_db1'
+"Let's test now rename when there is no select DB"
+select database();
+database()
+NULL
+alter event events_test.mysqltest_user1 rename to mysqltest_user1;
+ERROR 3D000: No database selected
+select event_schema, event_name, definer, event_type, status from information_schema.events;
+event_schema	event_name	definer	event_type	status
+events_test	mysqltest_user1	mysqltest_user1@localhost	RECURRING	ENABLED
+drop event events_test.mysqltest_user1;
+drop user mysqltest_user1@localhost;
+drop database mysqltest_db1;
 drop database events_test;

mysql-test/t/events_bugs.test

@@ -175,4 +175,38 @@ set sql_mode=@old_sql_mode;
 #
 # End  - 16407: Events: Changes in sql_mode won't be taken into account  
 #
+
+#
+# START - 18897: Events: unauthorized action possible with alter event rename
+#
+set global event_scheduler=2;
+--disable_warnings
+delete from mysql.user where User like 'mysqltest_%';
+delete from mysql.db where User like 'mysqltest_%';
+flush privileges;
+drop database if exists mysqltest_db1;
+--enable_warnings
+create user mysqltest_user1@localhost;
+create database mysqltest_db1;
+grant event on events_test.* to mysqltest_user1@localhost;
+connect (conn2,localhost,mysqltest_user1,,events_test);
+create event mysqltest_user1 on schedule every 10 second do select 42;
+--error ER_DBACCESS_DENIED_ERROR
+alter event mysqltest_user1 rename to mysqltest_db1.mysqltest_user1;
+--echo "Let's test now rename when there is no select DB"
+disconnect conn2;
+connect (conn2,localhost,mysqltest_user1,,*NO-ONE*);
+select database();
+--error ER_NO_DB_ERROR
+alter event events_test.mysqltest_user1 rename to mysqltest_user1;
+select event_schema, event_name, definer, event_type, status from information_schema.events;
+drop event events_test.mysqltest_user1;
+disconnect conn2;
+connection default;
+drop user mysqltest_user1@localhost;
+drop database mysqltest_db1;
+#
+# END   - 18897: Events: unauthorized action possible with alter event rename
+#
+
 drop database events_test;

sql/sql_parse.cc

@@ -3824,7 +3824,9 @@ end_with_restore_list:
     uint rows_affected= 1;
     DBUG_ASSERT(lex->et);
     do {
-      if (! lex->et->dbname.str)
+      if (! lex->et->dbname.str ||
+          (lex->sql_command == SQLCOM_ALTER_EVENT && lex->spname &&
+           !lex->spname->m_db.str))
       {
         my_message(ER_NO_DB_ERROR, ER(ER_NO_DB_ERROR), MYF(0));
         res= true;
@@ -3832,7 +3834,10 @@ end_with_restore_list:
       }
 
       if (check_access(thd, EVENT_ACL, lex->et->dbname.str, 0, 0, 0,
-                       is_schema_db(lex->et->dbname.str)))
+                       is_schema_db(lex->et->dbname.str)) ||
+          (lex->sql_command == SQLCOM_ALTER_EVENT && lex->spname &&
+           (check_access(thd, EVENT_ACL, lex->spname->m_db.str, 0, 0, 0,
+                         is_schema_db(lex->spname->m_db.str)))))
         break;
 
       if (end_active_trans(thd))