List:Commits« Previous MessageNext Message »
From:Georgi Kodinov Date:February 26 2009 5:22pm
Subject:bzr commit into mysql-5.1-bugteam branch (kgeorge:2825) Bug#41354
View as plain text  
#At file:///Users/kgeorge/mysql/work/B41354-merge-5.1-bugteam/ based on revid:ramil@stripped

 2825 Georgi Kodinov	2009-02-26 [merge]
      null-merged the fix and kept the test for bug #41354 from 5.0-bugteam

    modified:
      mysql-test/r/view_grant.result
      mysql-test/t/view_grant.test
=== modified file 'mysql-test/r/view_grant.result'
--- a/mysql-test/r/view_grant.result	2009-02-25 12:18:24 +0000
+++ b/mysql-test/r/view_grant.result	2009-02-26 17:20:50 +0000
@@ -921,6 +921,32 @@ c4
 DROP DATABASE mysqltest1;
 DROP DATABASE mysqltest2;
 DROP USER mysqltest_u1@localhost;
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1(f1 INT, f2 INT);
+CREATE VIEW v1 AS SELECT f1, f2 FROM t1;
+GRANT SELECT (f1) ON t1 TO foo;
+GRANT SELECT (f1) ON v1 TO foo;
+USE db1;
+SELECT f1 FROM t1;
+f1
+SELECT f2 FROM t1;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'f2' in table 't1'
+SELECT * FROM t1;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 't1'
+SELECT f1 FROM v1;
+f1
+SELECT f2 FROM v1;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'f2' in table 'v1'
+SELECT * FROM v1;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for table 'v1'
+USE test;
+REVOKE SELECT (f1) ON db1.t1 FROM foo;
+REVOKE SELECT (f1) ON db1.v1 FROM foo;
+DROP USER foo;
+DROP VIEW db1.v1;
+DROP TABLE db1.t1;
+DROP DATABASE db1;
 End of 5.0 tests.
 DROP VIEW IF EXISTS v1;
 DROP TABLE IF EXISTS t1;

=== modified file 'mysql-test/t/view_grant.test'
--- a/mysql-test/t/view_grant.test	2009-02-25 10:19:29 +0000
+++ b/mysql-test/t/view_grant.test	2009-02-26 17:20:50 +0000
@@ -1191,6 +1191,46 @@ DROP DATABASE mysqltest1;
 DROP DATABASE mysqltest2;
 DROP USER mysqltest_u1@localhost;
 
+
+#
+# Bug #41354: Access control is bypassed when all columns of a view are 
+# selected by * wildcard
+
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1(f1 INT, f2 INT);
+CREATE VIEW v1 AS SELECT f1, f2 FROM t1;
+
+GRANT SELECT (f1) ON t1 TO foo;
+GRANT SELECT (f1) ON v1 TO foo;
+
+connect (addconfoo, localhost, foo,,);
+connection addconfoo;
+USE db1;
+
+
+SELECT f1 FROM t1;
+--error ER_COLUMNACCESS_DENIED_ERROR
+SELECT f2 FROM t1;
+--error ER_TABLEACCESS_DENIED_ERROR
+SELECT * FROM t1;
+
+SELECT f1 FROM v1;
+--error ER_COLUMNACCESS_DENIED_ERROR
+SELECT f2 FROM v1;
+--error ER_TABLEACCESS_DENIED_ERROR
+SELECT * FROM v1;
+
+connection default;
+USE test;
+disconnect addconfoo;
+REVOKE SELECT (f1) ON db1.t1 FROM foo;
+REVOKE SELECT (f1) ON db1.v1 FROM foo;
+DROP USER foo;
+DROP VIEW db1.v1;
+DROP TABLE db1.t1;
+DROP DATABASE db1;
+
 --echo End of 5.0 tests.
 
 


Attachment: [text/bzr-bundle] bzr/kgeorge@mysql.com-20090226172050-te6m56827yd3wcbl.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (kgeorge:2825) Bug#41354Georgi Kodinov27 Feb