[#MDEV-7300] CREATE OR REPLACE VIEW does not require DROP privilege

[MDEV-7300] CREATE OR REPLACE VIEW does not require DROP privilege Created: 2014-12-10 Updated: 2015-02-26 Resolved: 2015-02-26
Status:	Closed
Project:	MariaDB Server
Component/s:	OTHER
Affects Version/s:	10.0, 10.1
Fix Version/s:	10.1.3

Type:

Bug

Priority:

Major

Reporter:

Alexander Barkov

Assignee:

Alexander Barkov

Resolution:

Not a Bug

Votes:

Labels:

None

Description

Check the code in sql_view.cc.
It does not seem to require DROP privilege to do "CREATE OR REPLACE VIEW".

It should, as "CREATE OR REPLACE" is actually two queries ("DROP VIEW IF EXISTS" followed by a "CREATE VIEW") run in a single shot.

Comments

Comment by Alexander Barkov [ 2015-02-26 ]

It actually works fine. DROP_ACL is checked.

Run as root:

DROP DATABASE IF EXISTS db1;

DROP USER IF EXISTS user@localhost;

CREATE DATABASE db1;

USE db1;

CREATE VIEW v1 AS SELECT 1;

CREATE USER user@localhost;

GRANT SELECT, CREATE VIEW  ON db1.* TO user@localhost;

Then run

mysql --user=user db1

and try to replace the view:

mysql> create or replace view v1 as select 2;

ERROR 1142 (42000): DROP command denied to user 'user'@'localhost' for table 'v1'

After adding DROP privilege to 'user', CREATE OR REPLACE works fine.

Generated at Thu Feb 08 07:18:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.