maria-developers team mailing list archive
Mailing list archive
Re: PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables
On Jul 26, Alexander Barkov wrote:
> > + if (!table || !table->mdl_ticket || table->mdl_ticket->get_type() == MDL_EXCLUSIVE)
> > + return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0);
> > + if (table->grant.privilege & FILE_ACL)
> > + return false;
> > + return true;
> > It passes your test case. In fact, your first fix passes it too :)
> Yeah, I guess my condition that switches between checking
> grant.privilege and doing check_access() was effectively the same.
> But your version looks simpler.
> > This one also passes the additional test I've added - where a user can
> > access the table, but view's definer cannot:
> > --connection default
> > CREATE DEFINER=user@localhost SQL SECURITY DEFINER VIEW v1_baddefiner AS SELECT * FROM t1;
> > --error ER_ACCESS_DENIED_ERROR
> > SELECT * FROM v1_baddefiner;
> This is a nice idea. Thanks.
Your first patch was
if (table && table->grant.privilege & FILE_ACL)
return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0);
that is, it tried both table->grant.privilege and check_access(). We
agreed that it's wrong, but I wanted a test case for it.
> I just tried this:
> # Run this as root:
> DROP TABLE IF EXISTS t1;
> DROP PROCEDURE IF EXISTS p1;
> CREATE PROCEDURE p1() SQL SECURITY DEFINER
> CREATE TABLE t1 (a INT) ENGINE=CONNECT TABLE_TYPE=fix FILE_NAME='t1.fix';
> # Run this as a user with no FILE_ACL
> CALL p1();
> and it also worked as expected, CALL p1() succeeded.
> The patch is Ok. Thanks for help with this.
> Can you please push this?
But I'll add your SP test case too.