[MDEV-7300] CREATE OR REPLACE VIEW does not require DROP privilege - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Not a Bug
Affects Version/s: 10.1, 10.0
Fix Version/s: 10.1.3
Component/s: OTHER
Labels:
None

Description

Check the code in sql_view.cc.
It does not seem to require DROP privilege to do "CREATE OR REPLACE VIEW".

It should, as "CREATE OR REPLACE" is actually two queries ("DROP VIEW IF EXISTS" followed by a "CREATE VIEW") run in a single shot.

Gliffy Diagrams

Attachments

Activity

Hide

Permalink

Alexander Barkov added a comment - 2015-02-26 13:58 - edited

It actually works fine. DROP_ACL is checked.

Run as root:

DROP DATABASE IF EXISTS db1;
DROP USER IF EXISTS user@localhost;
CREATE DATABASE db1;
USE db1;
CREATE VIEW v1 AS SELECT 1;
CREATE USER user@localhost;
GRANT SELECT, CREATE VIEW  ON db1.* TO user@localhost;

Then run

mysql --user=user db1

and try to replace the view:

mysql> create or replace view v1 as select 2;
ERROR 1142 (42000): DROP command denied to user 'user'@'localhost' for table 'v1'

After adding DROP privilege to 'user', CREATE OR REPLACE works fine.

Show

Alexander Barkov added a comment - 2015-02-26 13:58 - edited It actually works fine. DROP_ACL is checked. Run as root: DROP DATABASE IF EXISTS db1; DROP USER IF EXISTS user@localhost; CREATE DATABASE db1; USE db1; CREATE VIEW v1 AS SELECT 1; CREATE USER user@localhost; GRANT SELECT, CREATE VIEW ON db1.* TO user@localhost; Then run mysql --user=user db1 and try to replace the view: mysql> create or replace view v1 as select 2; ERROR 1142 (42000): DROP command denied to user 'user'@'localhost' for table 'v1' After adding DROP privilege to 'user', CREATE OR REPLACE works fine.

People

Assignee:

Alexander Barkov

Reporter:

Alexander Barkov

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2014-12-10 08:46

Updated:

2015-02-26 13:59

Resolved:

2015-02-26 13:59

Agile

View on Board