database/tidb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

planner: check drop privilege for CREATE OR REPLACE VEIW stmt (#60519)

Browse Source 
close pingcap/tidb#60469
This commit is contained in:
Hangjie Mo
2025-04-14 18:05:46 +08:00
committed by GitHub
parent 43d47e4e1d
commit 4c751e7c8a
3 changed files with 48 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/planner/core/planbuilder.go
View File

@ -5199,12 +5199,21 @@ func (b *PlanBuilder) buildDDL(ctx context.Context, node ast.DDLNode) (base.Plan
if len(v.Cols) != schema.Len() {
return nil, dbterror.ErrViewWrongList
}
var authCreateErr, authDropErr error
if user := b.ctx.GetSessionVars().User; user != nil {
authErr = plannererrors.ErrTableaccessDenied.GenWithStackByArgs("CREATE VIEW", user.AuthUsername,
authCreateErr = plannererrors.ErrTableaccessDenied.GenWithStackByArgs("CREATE VIEW", user.AuthUsername,
user.AuthHostname, v.ViewName.Name.L)
if v.OrReplace {
authDropErr = plannererrors.ErrTableaccessDenied.GenWithStackByArgs("DROP", user.AuthUsername,
user.AuthHostname, v.ViewName.Name.L)
}
}
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.CreateViewPriv, v.ViewName.Schema.L,
v.ViewName.Name.L, "", authErr)
v.ViewName.Name.L, "", authCreateErr)
if v.OrReplace {
b.visitInfo = appendVisitInfo(b.visitInfo, mysql.DropPriv, v.ViewName.Schema.L,
v.ViewName.Name.L, "", authDropErr)
}
if v.Definer.CurrentUser && b.ctx.GetSessionVars().User != nil {
v.Definer = b.ctx.GetSessionVars().User
}

13
tests/integrationtest/r/privilege/privileges.result
View File

@ -732,3 +732,16 @@ Database
INFORMATION_SCHEMA
tmpdb
create temporary table tmpdb.tmp(id int);
use privilege__privileges;
DROP USER IF EXISTS foo;
CREATE USER foo;
DROP VIEW IF EXISTS v, v1;
GRANT SELECT ON privilege__privileges.* TO foo;
CREATE OR REPLACE VIEW v AS SELECT 1;
Error 1142 (42000): CREATE VIEW command denied to user 'foo'@'%' for table 'v'
GRANT CREATE VIEW ON privilege__privileges.* TO foo;
CREATE VIEW v AS SELECT 1;
CREATE OR REPLACE VIEW v AS SELECT 1, 1;
Error 1142 (42000): DROP command denied to user 'foo'@'%' for table 'v'
CREATE OR REPLACE VIEW v1 AS SELECT 1, 1;
Error 1142 (42000): DROP command denied to user 'foo'@'%' for table 'v1'

24
tests/integrationtest/t/privilege/privileges.test
View File

@ -990,3 +990,27 @@ create temporary table tmpdb.tmp(id int);
disconnect test_user;
connection default;
# TestIssue60469
use privilege__privileges;
DROP USER IF EXISTS foo;
CREATE USER foo;
DROP VIEW IF EXISTS v, v1;
GRANT SELECT ON privilege__privileges.* TO foo;
connect (foo, localhost, foo,,privilege__privileges);
--error 1142
CREATE OR REPLACE VIEW v AS SELECT 1;
connection default;
GRANT CREATE VIEW ON privilege__privileges.* TO foo;
connection foo;
CREATE VIEW v AS SELECT 1;
--error 1142
CREATE OR REPLACE VIEW v AS SELECT 1, 1;
--error 1142
CREATE OR REPLACE VIEW v1 AS SELECT 1, 1;
disconnect foo;
connection default;