MDEV-29752 SHOW GRANTS for PUBLIC should work for all users

vuvova · vuvova · commit 5dc804c3bb30 · 2022-11-02T00:31:20.000+01:00
diff --git a/mysql-test/main/public_privileges.result b/mysql-test/main/public_privileges.result
@@ -319,3 +319,26 @@ drop database testdb1;
 # clean up
 delete from mysql.global_priv where user="PUBLIC";
 flush privileges;
+#
+# MDEV-29752 SHOW GRANTS FOR PUBLIC should work for all users
+#
+create database dbtest;
+create user `testuser`@`%`;
+GRANT USAGE ON *.* TO `testuser`@`%`;
+GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;
+connect  testuser,localhost,testuser,,;
+show grants for public;
+Grants for PUBLIC
+GRANT ALL PRIVILEGES ON `dbtest`.* TO PUBLIC
+show grants for testuser;
+Grants for testuser@%
+GRANT USAGE ON *.* TO `testuser`@`%`
+connection default;
+disconnect testuser;
+REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;
+REVOKE USAGE ON *.* FROM `testuser`@`%`;
+drop user `testuser`@`%`;
+drop database dbtest;
+# clean up
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
diff --git a/mysql-test/main/public_privileges.test b/mysql-test/main/public_privileges.test
@@ -380,3 +380,30 @@ drop database testdb1;
 -- echo # clean up
 delete from mysql.global_priv where user="PUBLIC";
 flush privileges;
+
+--echo #
+--echo # MDEV-29752 SHOW GRANTS FOR PUBLIC should work for all users
+--echo #
+
+create database dbtest;
+create user `testuser`@`%`;
+
+GRANT USAGE ON *.* TO `testuser`@`%`;
+GRANT ALL PRIVILEGES ON `dbtest`.* TO `PUBLIC`;
+
+connect (testuser,localhost,testuser,,);
+
+show grants for public;
+show grants for testuser;
+
+connection default;
+disconnect testuser;
+
+REVOKE ALL PRIVILEGES ON `dbtest`.* FROM `PUBLIC`;
+REVOKE USAGE ON *.* FROM `testuser`@`%`;
+drop user `testuser`@`%`;
+drop database dbtest;
+
+-- echo # clean up
+delete from mysql.global_priv where user="PUBLIC";
+flush privileges;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -7726,7 +7726,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)
 
     if (has_auth(user, thd->lex))
       DBUG_ASSERT(!grantee);
-    else if (!grantee)
+    else if (!grantee && !user->is_public)
       grantee= find_user_exact(hostname.str, username.str);
 
     if (!grantee && !revoke)
@@ -9464,7 +9464,7 @@ bool get_show_user(THD *thd, LEX_USER *lex_user, const char **username,
   if (lex_user->is_role())
   {
     *rolename= lex_user->user.str;
-    do_check_access= strcmp(*rolename, sctx->priv_role);
+    do_check_access= !lex_user->is_public && strcmp(*rolename, sctx->priv_role);
   }
   else
   {

Original file line number	Diff line number	Diff line change
`@@ -7726,7 +7726,7 @@ bool mysql_grant_role(THD *thd, List <LEX_USER> &list, bool revoke)`
`7726`	`7726`
`7727`	`7727`	`if (has_auth(user, thd->lex))`
`7728`	`7728`	`DBUG_ASSERT(!grantee);`
`7729`		`- else if (!grantee)`
	`7729`	`+ else if (!grantee && !user->is_public)`
`7730`	`7730`	`grantee= find_user_exact(hostname.str, username.str);`
`7731`	`7731`
`7732`	`7732`	`if (!grantee && !revoke)`
`@@ -9464,7 +9464,7 @@ bool get_show_user(THD thd, LEX_USER lex_user, const char **username,`
`9464`	`9464`	`if (lex_user->is_role())`
`9465`	`9465`	`{`
`9466`	`9466`	`*rolename= lex_user->user.str;`
`9467`		`- do_check_access= strcmp(*rolename, sctx->priv_role);`
	`9467`	`+ do_check_access= !lex_user->is_public && strcmp(*rolename, sctx->priv_role);`
`9468`	`9468`	`}`
`9469`	`9469`	`else`
`9470`	`9470`	`{`