MDEV-7280 DATABASE: CREATE OR REPLACE

A clean-up: require CREATE+DROP privileges for "CREATE OR REPLACE DATABASE",
instead of just CREATE privilege.

mysql-test/r/create_or_replace_permission.result

@@ -0,0 +1,40 @@
+#
+# Tests for checking permission denied on CREATE OR REPLACE if DROP
+# access is revoked
+#
+# These statements do not need special tests for CREATE OR REPLACE,
+# because they do not have separate permissions for create and drop:
+# CREATE OR REPLACE EVENT (uses EVENT_ACL for both CREATE and DROP)
+# CREATE OR DROP SERVER (uses SUPER_ALC for both CREATE and DROP)
+# CREATE OR DROP TRIGGER (uses TRIGGER_ACL for both CREATE and DROP)
+SELECT CURRENT_USER;
+CURRENT_USER
+root@localhost
+CREATE DATABASE db1;
+GRANT ALL ON db1.* TO mysqltest_1@localhost;
+REVOKE DROP ON db1.* FROM mysqltest_1@localhost;
+REVOKE ALTER ROUTINE ON db1.* FROM mysqltest_1@localhost;
+GRANT DELETE ON mysql.* TO mysqltest_1@localhost;
+REVOKE DELETE ON mysql.* FROM mysqltest_1@localhost;
+FLUSH PRIVILEGES;
+SELECT CURRENT_USER;
+CURRENT_USER
+mysqltest_1@localhost
+CREATE DATABASE db1;
+ERROR HY000: Can't create database 'db1'; database exists
+CREATE OR REPLACE DATABASE db1;
+ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'db1'
+CREATE OR REPLACE DATABASE db2;
+ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'db2'
+USE db1;
+CREATE OR REPLACE TABLE t1(id INT);
+ERROR 42000: DROP command denied to user 'mysqltest_1'@'localhost' for table 't1'
+SELECT CURRENT_USER;
+CURRENT_USER
+root@localhost
+REVOKE ALL ON db1.* FROM mysqltest_1@localhost;
+DROP DATABASE IF EXISTS db2;
+Warnings:
+Note	1008	Can't drop database 'db2'; database doesn't exist
+DROP DATABASE db1;
+DROP USER mysqltest_1@localhost;

mysql-test/t/create_or_replace_permission.test

@@ -0,0 +1,67 @@
+# Grant tests not performed with embedded server
+-- source include/not_embedded.inc
+
+--echo #
+--echo # Tests for checking permission denied on CREATE OR REPLACE if DROP
+--echo # access is revoked
+--echo #
+
+--echo # These statements do not need special tests for CREATE OR REPLACE,
+--echo # because they do not have separate permissions for create and drop:
+--echo # CREATE OR REPLACE EVENT (uses EVENT_ACL for both CREATE and DROP)
+--echo # CREATE OR DROP SERVER (uses SUPER_ALC for both CREATE and DROP)
+--echo # CREATE OR DROP TRIGGER (uses TRIGGER_ACL for both CREATE and DROP)
+
+SELECT CURRENT_USER;
+CREATE DATABASE db1;
+GRANT ALL ON db1.* TO mysqltest_1@localhost;
+REVOKE DROP ON db1.* FROM mysqltest_1@localhost;
+REVOKE ALTER ROUTINE ON db1.* FROM mysqltest_1@localhost;
+GRANT DELETE ON mysql.* TO mysqltest_1@localhost;
+REVOKE DELETE ON mysql.* FROM mysqltest_1@localhost;
+FLUSH PRIVILEGES;
+
+connect (user_a, localhost, mysqltest_1,,);
+connection user_a;
+SELECT CURRENT_USER;
+
+# mysqltest_1 has CREATE privilege on db1
+--error ER_DB_CREATE_EXISTS
+CREATE DATABASE db1;
+
+# mysqltest_1 has no DROP privilege on db1
+--error ER_DBACCESS_DENIED_ERROR
+CREATE OR REPLACE DATABASE db1;
+
+# mysqltest_1 has no any privileges on db2
+--error ER_DBACCESS_DENIED_ERROR
+CREATE OR REPLACE DATABASE db2;
+
+USE db1;
+--error ER_TABLEACCESS_DENIED_ERROR
+CREATE OR REPLACE TABLE t1(id INT);
+
+#TODO: add this when "MDEV-5359 CREATE OR REPLACE..." is done
+#DELIMITER $;
+#--error ER_PROCACCESS_DENIED_ERROR
+#CREATE OR REPLACE PROCEDURE proc1 (OUT cnt INT) BEGIN SELECT COUNT(*) INTO cnt FROM t1; END$
+#DELIMITER ;$
+#
+#--error ER_DBACCESS_DENIED_ERROR
+#CREATE OR REPLACE FUNCTION lookup RETURNS STRING SONAME "udf_example.so";
+#
+#--error ER_PROCACCESS_DENIED_ERROR
+#CREATE OR REPLACE FUNCTION hello(str char(20)) RETURNS TEXT RETURN CONCAT('Hello, ', str, '!');
+#
+#--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+#CREATE OR REPLACE USER u1@localhost;
+#
+#--error ER_SPECIFIC_ACCESS_DENIED_ERROR
+#CREATE OR REPLACE ROLE developer;
+
+connection default;
+SELECT CURRENT_USER;
+REVOKE ALL ON db1.* FROM mysqltest_1@localhost;
+DROP DATABASE IF EXISTS db2;
+DROP DATABASE db1;
+DROP USER mysqltest_1@localhost;

sql/sql_parse.cc

@@ -4298,7 +4298,9 @@ mysql_execute_command(THD *thd)
       }
     }
 #endif
-    if (check_access(thd, CREATE_ACL, lex->name.str, NULL, NULL, 1, 0))
+    if (check_access(thd, lex->create_info.or_replace() ?
+                          (CREATE_ACL | DROP_ACL) : CREATE_ACL,
+                     lex->name.str, NULL, NULL, 1, 0))
       break;
     WSREP_TO_ISOLATION_BEGIN(lex->name.str, NULL, NULL)
     res= mysql_create_db(thd, lex->name.str, lex->create_info, &create_info);