[#MDEV-7043] Multi-table DELETE rejected due to lack of SELECT privilege for no good reason

[MDEV-7043] Multi-table DELETE rejected due to lack of SELECT privilege for no good reason Created: 2014-11-07 Updated: 2022-09-08
Status:	Open
Project:	MariaDB Server
Component/s:	OTHER
Affects Version/s:	5.5.40, 10.0.14
Fix Version/s:	10.1

Type:

Bug

Priority:

Minor

Reporter:

Elena Stepanova

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

upstream

Description

Test case
--disable_abort_on_error
--enable_connect_log

CREATE DATABASE privtest_db;
USE privtest_db;

CREATE TABLE privtest_db.t1 (a INT, b INT);
CREATE TABLE privtest_db.t2 (a INT);
INSERT INTO privtest_db.t1 VALUES (1,1), (2,2), (3,3);

GRANT ALL ON privtest_db.t2 TO 'privtest'@'localhost';
GRANT DELETE ON privtest_db.t1 TO 'privtest'@'localhost';

connect(con1,localhost,privtest,,);
USE privtest_db;

DELETE t1 FROM t1, t2;

--connection default
GRANT SELECT(b) ON privtest_db.t1 TO 'privtest'@'localhost';
--connection con1

DELETE t1 FROM t1, t2;

We have full access to the table we join with (to make things more obvious), and DELETE privilege on the table we delete from. The tables are joined unconditionally.

The DELETE fails due to the lack of SELECT privilege on t1:

SELECT command denied to user 'privtest'@'localhost' for table 't1'

The theory that SELECT is needed for the join does not survive the next test: we add a SELECT privilege on one of two columns in t1 and run the same DELETE again. Now it succeeds.

Since the JOIN is unconditional, it should either require no SELECT privilege on the table we delete from, or full SELECT on all columns. One column-SELECT should not make any difference.

Generated at Thu Feb 08 07:16:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-7043] Multi-table DELETE rejected due to lack of SELECT privilege for no good reason Created: 2014-11-07 Updated: 2022-09-08