Modified set_role_var to implement both a role check in the check() function,

as well as only set privileges in the update() function.

Modified set_role_var to implement both a role check in the check() function,
as well as only set privileges in the update() function.
db25d8f9 · Vicențiu Ciorbaru · Sergei Golubchik · 494f0117 · db25d8f9 · db25d8f9
Commit db25d8f9 authored Oct 17, 2013 by Vicențiu Ciorbaru Committed by Sergei Golubchik Oct 17, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 14 deletions

sql/set_var.cc sql/set_var.cc +8 -2

sql/set_var.h sql/set_var.h +3 -3

sql/sql_acl.cc sql/sql_acl.cc +18 -8

sql/sql_acl.h sql/sql_acl.h +2 -1

No files found.
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -876,14 +876,20 @@ int set_var_password::update(THD *thd)
 *****************************************************************************/
 int set_var_role::check(THD *thd)
 {
-  /* nothing to check */
+#ifndef NO_EMBEDDED_ACCESS_CHECKS
+  ulonglong access;
+  int status= acl_check_setrole(thd, base.str, &access);
+  save_result.ulonglong_value= access;
+  return status;
+#else
  return 0;
+#endif
 }

 int set_var_role::update(THD *thd)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  return acl_setrole(thd, this->role.str);
+  return acl_setrole(thd, base.str, save_result.ulonglong_value);
 #else
  return 0;
 #endif

--- a/sql/set_var.h
+++ b/sql/set_var.h
@@ -278,11 +278,11 @@ public:

 /* For SET ROLE */

-class set_var_role: public set_var_base
+class set_var_role: public set_var
 {
-  LEX_STRING role;
 public:
-  set_var_role(LEX_STRING role_arg) : role(role_arg) {};
+  set_var_role(LEX_STRING role_arg) :
+    set_var(OPT_SESSION, NULL, &role_arg, NULL){};
  int check(THD *thd);
  int update(THD *thd);
 };

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1672,7 +1672,7 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
  DBUG_RETURN(res);
 }

-bool acl_setrole(THD *thd, char *rolename)
+int acl_check_setrole(THD *thd, char *rolename, ulonglong *access)
 {
  bool is_granted;
  int result= 0;
@@ -1693,8 +1693,8 @@ bool acl_setrole(THD *thd, char *rolename)
      my_error(ER_INVALID_CURRENT_USER, MYF(0), rolename);
      result= -1;
    }
-    else
-      thd->security_ctx->master_access= acl_user->access;
+    else if (access)
+      *access= acl_user->access;

    goto end;
  }
@@ -1728,16 +1728,26 @@ bool acl_setrole(THD *thd, char *rolename)
    goto end;
  }

-  /* merge the privileges */
-  thd->security_ctx->master_access= acl_user->access | role->access;
-  /* mark the current role */
-  strcpy(thd->security_ctx->priv_role, rolename);
-
+  if (access)
+  {
+    *access = acl_user->access | role->access;
+  }
 end:
  mysql_mutex_unlock(&acl_cache->lock);
  return result;
 }

+int acl_setrole(THD *thd, char *rolename, ulonglong access) {
+  /* merge the privileges */
+  thd->security_ctx->master_access= access;
+  /* mark the current role */
+  strmake(thd->security_ctx->priv_role, rolename,
+          sizeof(thd->security_ctx->priv_role)-1);
+  return 0;
+}
+
+
+
 static uchar* check_get_key(ACL_USER *buff, size_t *length,
                            my_bool not_used __attribute__((unused)))
 {

--- a/sql/sql_acl.h
+++ b/sql/sql_acl.h
@@ -382,5 +382,6 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info,

 bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
                                   bool with_grant);
-bool acl_setrole(THD *thd, char *rolename);
+int acl_setrole(THD *thd, char *rolename, ulonglong access);
+int acl_check_setrole(THD *thd, char *rolename, ulonglong *access);
 #endif /* SQL_ACL_INCLUDED */