Hi, Alexander! On Jul 26, Alexander Barkov wrote:
+ if (!table || !table->mdl_ticket || table->mdl_ticket->get_type() == MDL_EXCLUSIVE) + return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0); + if (table->grant.privilege & FILE_ACL) + return false; + return true;
It passes your test case. In fact, your first fix passes it too :)
Yeah, I guess my condition that switches between checking grant.privilege and doing check_access() was effectively the same. But your version looks simpler.
This one also passes the additional test I've added - where a user can access the table, but view's definer cannot:
--connection default CREATE DEFINER=user@localhost SQL SECURITY DEFINER VIEW v1_baddefiner AS SELECT * FROM t1; --error ER_ACCESS_DENIED_ERROR SELECT * FROM v1_baddefiner;
This is a nice idea. Thanks.
Your first patch was if (table && table->grant.privilege & FILE_ACL) return false; return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0); that is, it tried both table->grant.privilege and check_access(). We agreed that it's wrong, but I wanted a test case for it.
I just tried this:
# Run this as root: DROP TABLE IF EXISTS t1; DROP PROCEDURE IF EXISTS p1; CREATE PROCEDURE p1() SQL SECURITY DEFINER CREATE TABLE t1 (a INT) ENGINE=CONNECT TABLE_TYPE=fix FILE_NAME='t1.fix';
# Run this as a user with no FILE_ACL CALL p1();
and it also worked as expected, CALL p1() succeeded.
The patch is Ok. Thanks for help with this. Can you please push this?
Sure. Thanks! But I'll add your SP test case too. Regards, Sergei