• Dmitry Lenev's avatar
    Fix for bug#57061 "User without privilege on routine can · eaae6752
    Dmitry Lenev authored
    discover its existence".
    
    The problem was that user without any privileges on 
    routine was able to find out whether it existed or not.
    DROP FUNCTION and DROP PROCEDURE statements were 
    checking if routine being dropped existed and reported 
    ER_SP_DOES_NOT_EXIST error/warning before checking 
    if user had enough privileges to drop it.
    
    This patch solves this problem by changing code not to 
    check if routine exists before checking if user has enough 
    privileges to drop it. Moreover we no longer perform this 
    check using a separate call instead we rely on 
    sp_drop_routine() returning SP_KEY_NOT_FOUND if routine 
    doesn't exist.
    
    This change also simplifies one of upcoming patches
    refactoring global read lock implementation.
    
    mysql-test/r/grant.result:
      Updated test case after fixing bug#57061 "User without
      privilege on routine can discover its existence". Removed
      DROP PROCEDURE/FUNCTION statements which have started to
      fail after this fix (correctly). There is no need in
      dropping routines in freshly created database anyway.
    mysql-test/r/sp-security.result:
      Added new test case for bug#57061 "User without privilege
      on routine can discover its existence". Updated existing
      tests according to new behaviour.
    mysql-test/suite/funcs_1/r/innodb_storedproc_06.result:
      Updated test case after fixing bug#57061 "User without
      privilege on routine can discover its existence".
      Now we drop routines under user which has enough
      privileges to do so.
    mysql-test/suite/funcs_1/r/memory_storedproc_06.result:
      Updated test case after fixing bug#57061 "User without
      privilege on routine can discover its existence".
      Now we drop routines under user which has enough
      privileges to do so.
    mysql-test/suite/funcs_1/r/myisam_storedproc_06.result:
      Updated test case after fixing bug#57061 "User without
      privilege on routine can discover its existence".
      Now we drop routines under user which has enough
      privileges to do so.
    mysql-test/suite/funcs_1/storedproc/storedproc_06.inc:
      Updated test case after fixing bug#57061 "User without
      privilege on routine can discover its existence".
      Now we drop routines under user which has enough
      privileges to do so.
    mysql-test/t/grant.test:
      Updated test case after fixing bug#57061 "User without
      privilege on routine can discover its existence". Removed
      DROP PROCEDURE/FUNCTION statements which have started to
      fail after this fix (correctly). There is no need in
      dropping routines in freshly created database anyway.
    mysql-test/t/sp-security.test:
      Added new test case for bug#57061 "User without privilege
      on routine can discover its existence". Updated existing
      tests according to new behaviour.
    sql/sp.cc:
      Removed sp_routine_exists_in_table() which is no longer
      used.
    sql/sp.h:
      Removed sp_routine_exists_in_table() which is no longer
      used.
    sql/sql_parse.cc:
      When dropping routine we no longer check if routine exists 
      before checking if user has enough privileges to do so. 
      Moreover we no longer perform this check using a separate 
      call instead we rely on sp_drop_routine() returning 
      SP_KEY_NOT_FOUND if routine doesn't exist.
    eaae6752
sp-security.result 20.9 KB