Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7025

ANALYZE SELECT/INSERT/UPDATE/DELETE from a view does not check access permissions on the underlying table

    XMLWordPrintable

    Details

      Description

      Test case

      --enable_connect_log
      create database db;
      use db;
      create table t1 (i int, c varchar(8));
      insert into t1 values (1,'foo'),(2,'bar'),(3,'baz'),(4,'qux');
      create view v1 as select * from t1 where i > 1;
      grant all on db.v1 to u1@localhost;
       
      --connect (con1,localhost,u1,,)
       
      --error ER_TABLEACCESS_DENIED_ERROR
      select * from db.t1;
      --error ER_TABLEACCESS_DENIED_ERROR
      explain select * from db.t1;
      --error ER_TABLEACCESS_DENIED_ERROR
      analyze select * from db.t1;
       
      select * from db.v1;
      --error ER_VIEW_NO_EXPLAIN
      explain select * from db.v1;
      --error ER_VIEW_NO_EXPLAIN
      analyze select * from db.v1;
       
      --disconnect con1
      --connection default
       
      drop user u1@localhost;
      drop database db;

      The last statement should fail just like the previous one does, but it succeeds (and reveals the underlying t1 table in the output).

      Same for INSERT, UPDATE, DELETE.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cvicentiu Vicențiu Ciorbaru
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: