Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7025

ANALYZE SELECT/INSERT/UPDATE/DELETE from a view does not check access permissions on the underlying table

    XMLWordPrintable

Details

    Description

      Test case

      --enable_connect_log
      create database db;
      use db;
      create table t1 (i int, c varchar(8));
      insert into t1 values (1,'foo'),(2,'bar'),(3,'baz'),(4,'qux');
      create view v1 as select * from t1 where i > 1;
      grant all on db.v1 to u1@localhost;
       
      --connect (con1,localhost,u1,,)
       
      --error ER_TABLEACCESS_DENIED_ERROR
      select * from db.t1;
      --error ER_TABLEACCESS_DENIED_ERROR
      explain select * from db.t1;
      --error ER_TABLEACCESS_DENIED_ERROR
      analyze select * from db.t1;
       
      select * from db.v1;
      --error ER_VIEW_NO_EXPLAIN
      explain select * from db.v1;
      --error ER_VIEW_NO_EXPLAIN
      analyze select * from db.v1;
       
      --disconnect con1
      --connection default
       
      drop user u1@localhost;
      drop database db;

      The last statement should fail just like the previous one does, but it succeeds (and reveals the underlying t1 table in the output).

      Same for INSERT, UPDATE, DELETE.

      Attachments

        Issue Links

          Activity

            People

              cvicentiu Vicențiu Ciorbaru
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.