Hi! On Sat, Jun 13, 2020 at 5:37 PM Sergei Golubchik <serg@mariadb.org> wrote: <cut>
DROP VIEW IF EXISTS t1; Warnings: +Warning 1347 'test.t1' is not of type 'VIEW'
please, add a test for the case when a user has no privileges on test.t1, the object existence is not leaked out (if one has no privileges to know whether t1 exists or whether t1 is a view or a table, the error message should not divulge it).
(the same for tables and for sequences in your next commit)
I was about to create a test do that, but then I started to think that we only have a drop privilege that works for 'anything with this name This means that if one is allowed to drop a view named 't1', one is also allowed to drop a table named t1. This also means that I don't know what to add to the test. The privileges are checked first and if one tries to drop an object that one is not allowed to access, one will get an error before DROP VIEW code is executed. When in DROP, either DROP SEQUENCES, DROP VIEW or DROP TABLE no privilege checking is made. This means that a user can always find out if there is an object of a certain type by executing one of the above drops. In other mens, there is nothing to hide in DROP VIEW that the user can't find out anyway. Regards, Monty