[MDEV-13453] Executing a query via CTE requires more permissions than the query itself Created: 2017-08-04  Updated: 2018-10-30  Resolved: 2017-12-20

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Optimizer - CTE
Affects Version/s: 10.2
Fix Version/s: 10.2.11

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Igor Babaev
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Duplicate
is duplicated by MDEV-13682 Role permissions don't work with CTEs Closed
Problem/Incident
causes MXS-2064 Loading of users with MariaDB 10.2.10... Closed
Sprint: 10.2.11

 Description   

Based on the question posted at stackoverflow by Diogo Melo:
https://stackoverflow.com/questions/45510362/error-1142-42000-select-command-denied-for-with-recursive-statement-on-ma

When a query is executed via CTE, it's not enough to have normal privileges for the query, the user must also have SELECT privileges for the CTE itself, which are impossible to grant.

create database db;
 
use db;
 
create table t1 (i int);
 
 
 
create user foo@localhost;
 
grant SELECT on db.t1 to foo@localhost;
 
 
 
--connect (con1,localhost,foo,,)
 
use db;
 
with cte as (select * from t1) select * from cte;
 
 
 
# Cleanup
 
--disconnect con1
 
 
 
--connection default
 
drop database db;
 
drop user foo@localhost;


CURRENT_TEST: bug.t6
 
mysqltest: At line 10: query 'with cte as (select * from t1) select * from cte' failed: 1142: SELECT command denied to user 'foo'@'localhost' for table 'cte'



 Comments   
Comment by Rick James (Inactive) [ 2017-08-14 ]

Seems to work on 10.2.2, so perhaps a regression?

Comment by Oleksandr Byelkin [ 2017-11-14 ]

OK to push after fixing resulta and adding the comment we discussed.

Comment by Igor Babaev [ 2017-12-20 ]

The fix for this bug was pushed into the 10.2 tree.

Generated at Thu Feb 08 08:05:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.