MDEV-5232 SET ROLE checks privileges differently from check_access()

use the same inconsistent priv_user@host pair for SET ROLE privilege checks, just as check_access() does

MDEV-5232 SET ROLE checks privileges differently from check_access()
use the same inconsistent priv_user@host pair for SET ROLE privilege checks, just as check_access() does
79d2e6c8 · Sergei Golubchik · 00ba6191 · 79d2e6c8 · 79d2e6c8 · 79d2e6c8
Commit 79d2e6c8 authored Nov 04, 2013 by Sergei Golubchik
3 changed files
--- a/mysql-test/suite/roles/set_role-5232.result
+++ b/mysql-test/suite/roles/set_role-5232.result
+create user ''@localhost;
+create user c;
+grant select on mysql.* to c;
+create role r1;
+grant r1 to c;
+select user(), current_user();
+user()	current_user()
+c@localhost	@localhost
+select user from mysql.user group by user;
+ERROR 42000: SELECT command denied to user ''@'localhost' for table 'user'
+set role r1;
+ERROR OP000: Invalid role specification `r1`.
+drop role r1;
+drop user c;
+drop user ''@localhost;
--- a/mysql-test/suite/roles/set_role-5232.test
+++ b/mysql-test/suite/roles/set_role-5232.test
+#
+# MDEV-5232 SET ROLE checks privileges differently from check_access()
+#
+--source include/not_embedded.inc
+create user ''@localhost;
+create user c;
+grant select on mysql.* to c;
+create role r1;
+grant r1 to c;
+connect (c,localhost,c,,,,,);
+select user(), current_user();
+--error ER_TABLEACCESS_DENIED_ERROR
+select user from mysql.user group by user;
+--error ER_INVALID_ROLE
+set role r1;
+disconnect c;
+connection default;
+drop role r1;
+drop user c;
+drop user ''@localhost;
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -1871,7 +1871,9 @@ int acl_check_setrole(THD *thd, char *rolename, ulonglong *access)
      continue;

    acl_user= (ACL_USER *)acl_user_base;
-    if (acl_user->wild_eq(thd->security_ctx->user, thd->security_ctx->host))
+    /* Yes! priv_user@host. Don't ask why - that's what check_access() does. */
+    if (acl_user->wild_eq(thd->security_ctx->priv_user,
+                          thd->security_ctx->host))
    {
      is_granted= TRUE;
      break;