MDEV-21560 Assertion `grant_table || grant_table_role' failed in check_grant_all_columns

With RETURNING it can happen that the user has some privileges on the table (namely, DELETE), but later needs different privileges on individual columns (namely, SELECT). Do the same as in check_grant_column() - ER_COLUMNACCESS_DENIED_ERROR, not an assert.

MDEV-21560 Assertion `grant_table || grant_table_role' failed in check_grant_all_columns
With RETURNING it can happen that the user has some privileges on the table (namely, DELETE), but later needs different privileges on individual columns (namely, SELECT). Do the same as in check_grant_column() - ER_COLUMNACCESS_DENIED_ERROR, not an assert.
b58586aa · Sergei Golubchik · 80534093 · b58586aa · b58586aa · b58586aa
Commit b58586aa authored Jun 13, 2020 by Sergei Golubchik
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 1 deletion

mysql-test/main/grant5.result mysql-test/main/grant5.result +17 -0

mysql-test/main/grant5.test mysql-test/main/grant5.test +17 -0

sql/sql_acl.cc sql/sql_acl.cc +2 -1

No files found.
--- a/mysql-test/main/grant5.result
+++ b/mysql-test/main/grant5.result
@@ -225,4 +225,21 @@ drop user twg@'%';
 insert mysql.tables_priv (host,db,user,table_name,grantor,table_priv) values ('localhost','','otto','t1','root@localhost','select');
 flush privileges;
 delete from mysql.tables_priv where db='';
+create database db;
+create table db.t1 (a int);
+insert into db.t1 values (1);
+create user foo;
+grant delete on db.* to foo;
+connect  con1,localhost,foo,,;
+show create table db.t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `a` int(11) DEFAULT NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1
+delete from db.t1 returning *;
+ERROR 42000: SELECT command denied to user 'foo'@'localhost' for column 'a' in table 't1'
+disconnect con1;
+connection default;
+drop database db;
+drop user foo;
 # End of 10.4 tests
--- a/mysql-test/main/grant5.test
+++ b/mysql-test/main/grant5.test
@@ -182,4 +182,21 @@ insert mysql.tables_priv (host,db,user,table_name,grantor,table_priv) values ('l
 flush privileges;
 delete from mysql.tables_priv where db='';

+#
+# MDEV-21560 Assertion `grant_table || grant_table_role' failed in check_grant_all_columns
+#
+create database db;
+create table db.t1 (a int);
+insert into db.t1 values (1);
+create user foo;
+grant delete on db.* to foo;
+--connect (con1,localhost,foo,,)
+show create table db.t1;
+--error ER_COLUMNACCESS_DENIED_ERROR
+delete from db.t1 returning *;
+--disconnect con1
+--connection default
+drop database db;
+drop user foo;
+
 --echo # End of 10.4 tests
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -8335,7 +8335,8 @@ bool check_grant_all_columns(THD *thd, ulong want_access_arg,

        grant_table= grant->grant_table_user;
        grant_table_role= grant->grant_table_role;
-        DBUG_ASSERT (grant_table || grant_table_role);
+        if (!grant_table && !grant_table_role)
+          goto err;
      }
    }