[MDEV-7027] ANALYZE SELECT/INSERT/UPDATE/DELETE from a view does not check SHOW permission on the view Created: 2014-11-05  Updated: 2015-03-10  Resolved: 2015-03-10

Status: Closed
Project: MariaDB Server
Component/s: OTHER, Views
Affects Version/s: 10.1.1
Fix Version/s: 10.1.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Vicențiu Ciorbaru
Resolution: Duplicate Votes: 0
Labels: analyze-stmt

Issue Links:
Relates
relates to MDEV-406 ANALYZE $stmt Closed
relates to MDEV-6382 ANALYZE $stmt and security Closed
relates to MDEV-6422 More testing for ANALYZE stmt and JSON Closed

 Description   

Unlike MDEV-7025, here we have all access to the underlying table, but only SELECT grant on the view. EXPLAIN fails because SHOW VIEW permission is missing, but ANALYZE succeeds.

All the same with INSERT, UPDATE, DELETE.

Test case

 
--enable_connect_log
 
 
 
create database db;
 
use db;
 
create table t1 (i int, c varchar(8));
 
insert into t1 values (1,'foo'),(2,'bar'),(3,'baz'),(4,'qux');
 
create view v1 as select * from t1 where i > 1;
 
 
 
grant SELECT on db.v1 to u1@localhost;
 
grant ALL on db.t1 to u1@localhost;
 
 
 
--connect (con1,localhost,u1,,)
 
 
 
select * from db.t1;
 
explain select * from db.t1;
 
analyze select * from db.t1;
 
 
 
select * from db.v1;
 
--error ER_VIEW_NO_EXPLAIN
 
explain select * from db.v1;
 
--error ER_VIEW_NO_EXPLAIN
 
analyze select * from db.v1;
 
 
 
--disconnect con1
 
--connection default
 
 
 
drop user u1@localhost;
 
drop database db;



 Comments   
Comment by Vicențiu Ciorbaru [ 2015-03-10 ]

Duplicate of MDEV-7025

Generated at Thu Feb 08 07:16:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.