[MDEV-7025] ANALYZE SELECT/INSERT/UPDATE/DELETE from a view does not check access permissions on the underlying table - Jira

XML

Word

Printable

Test case
--enable_connect_log
create database db;
use db;
create table t1 (i int, c varchar(8));
insert into t1 values (1,'foo'),(2,'bar'),(3,'baz'),(4,'qux');
create view v1 as select * from t1 where i > 1;
grant all on db.v1 to u1@localhost;

--connect (con1,localhost,u1,,)

--error ER_TABLEACCESS_DENIED_ERROR
select * from db.t1;
--error ER_TABLEACCESS_DENIED_ERROR
explain select * from db.t1;
--error ER_TABLEACCESS_DENIED_ERROR
analyze select * from db.t1;

select * from db.v1;
--error ER_VIEW_NO_EXPLAIN
explain select * from db.v1;
--error ER_VIEW_NO_EXPLAIN
analyze select * from db.v1;

--disconnect con1
--connection default

drop user u1@localhost;
drop database db;

The last statement should fail just like the previous one does, but it succeeds (and reveals the underlying t1 table in the output).

Same for INSERT, UPDATE, DELETE.

relates to

MDEV-406 ANALYZE $stmt

MDEV-6382 ANALYZE $stmt and security

MDEV-6422 More testing for ANALYZE stmt and JSON

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.