[CP] fix privilege check for dml stmt is to strict

src/sql/privilege_check/ob_privilege_check.cpp

@@ -385,10 +385,15 @@ int add_col_priv_to_need_priv(
   visitor.remove_scope(SCOPE_DML_CONSTRAINT);
   visitor.remove_scope(SCOPE_DMLINFOS);
   ObSEArray<ObRawExpr *, 4> col_exprs;
+  bool has_dml_info = false;
   if (OB_ISNULL(basic_stmt)) {
     ret = OB_ERR_UNEXPECTED;
     LOG_WARN("basic_stmt is NULL", K(ret));
-  } else {
+  } else if (basic_stmt->is_dml_write_stmt() &&
+             OB_FAIL(static_cast<const ObDelUpdStmt*>(basic_stmt)->has_dml_table_info(
+                                                            table_item.table_id_, has_dml_info))) {
+    LOG_WARN("failed to check has dml table info", K(ret));
+  } else if (has_dml_info) {
     stmt::StmtType stmt_type = basic_stmt->get_stmt_type();
     switch (stmt_type) {
       case stmt::T_DELETE: {
@@ -504,6 +509,7 @@ int add_col_priv_to_need_priv(
         break;
       }
     }
+  }
   if (OB_SUCC(ret)) {
     ObSEArray<ObRawExpr *, 4> rel_exprs;
     need_priv.priv_set_ = OB_PRIV_SELECT;
@@ -540,7 +546,6 @@ int add_col_priv_to_need_priv(
       }
     }
   }
-  }
   return ret;
 }
 
@@ -1170,7 +1175,6 @@ int get_dml_stmt_need_privs(
             || table_item->is_view_table_) {
             need_priv.db_ = table_item->database_name_;
             need_priv.table_ = table_item->table_name_;
-            need_priv.priv_set_ = priv_set;
             need_priv.is_sys_table_ = table_item->is_system_table_;
             need_priv.is_for_update_ = table_item->for_update_;
             need_priv.priv_level_ = OB_PRIV_TABLE_LEVEL;
@@ -1187,6 +1191,17 @@ int get_dml_stmt_need_privs(
                                table_item->table_name_.length(), table_item->table_name_.ptr());
               }
             }
+            if (OB_SUCC(ret)) {
+              bool has = false;
+              if (stmt::T_SELECT == dml_stmt->get_stmt_type()) {
+                need_priv.priv_set_ = priv_set;
+              } else if (OB_FAIL(static_cast<const ObDelUpdStmt*>(dml_stmt)->has_dml_table_info(
+                                                              table_item->table_id_, has))) {
+                LOG_WARN("failed to check has dml table info", K(ret));
+              } else {
+                need_priv.priv_set_ = has ? priv_set : OB_PRIV_SELECT;
+              }
+            }
             if (OB_SUCC(ret)) {
               if (session_priv.is_tenant_changed()
                   && 0 != table_item->database_name_.case_compare(OB_SYS_DATABASE_NAME)) {