Hi, Alexander!
On Jul 26, Alexander Barkov wrote:
> > + if (!table || !table->mdl_ticket || table->mdl_ticket->get_type() ==
> > MDL_EXCLUSIVE)
> > + return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0);
> > + if (table->grant.privilege & FILE_ACL)
> > + return false;
> > + return true;
> >
> > It passes your test case. In fact, your first fix passes it too :)
>
> Yeah, I guess my condition that switches between checking
> grant.privilege and doing check_access() was effectively the same.
> But your version looks simpler.
>
> > This one also passes the additional test I've added - where a user can
> > access the table, but view's definer cannot:
> >
> > --connection default
> > CREATE DEFINER=user@localhost SQL SECURITY DEFINER VIEW v1_baddefiner AS
> > SELECT * FROM t1;
> > --error ER_ACCESS_DENIED_ERROR
> > SELECT * FROM v1_baddefiner;
>
> This is a nice idea. Thanks.
Your first patch was
if (table && table->grant.privilege & FILE_ACL)
return false;
return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0);
that is, it tried both table->grant.privilege and check_access(). We
agreed that it's wrong, but I wanted a test case for it.
> I just tried this:
>
> # Run this as root:
> DROP TABLE IF EXISTS t1;
> DROP PROCEDURE IF EXISTS p1;
> CREATE PROCEDURE p1() SQL SECURITY DEFINER
> CREATE TABLE t1 (a INT) ENGINE=CONNECT TABLE_TYPE=fix FILE_NAME='t1.fix';
>
> # Run this as a user with no FILE_ACL
> CALL p1();
>
> and it also worked as expected, CALL p1() succeeded.
>
> The patch is Ok. Thanks for help with this.
> Can you please push this?
Sure. Thanks!
But I'll add your SP test case too.
Regards,
Sergei
_______________________________________________
Mailing list: https://launchpad.net/~maria-developers
Post to : [email protected]
Unsubscribe : https://launchpad.net/~maria-developers
More help : https://help.launchpad.net/ListHelp
