diff --git a/mysql-test/r/create_or_replace_permission.result b/mysql-test/r/create_or_replace_permission.result new file mode 100644 index 0000000000000..0731cbbc79e46 --- /dev/null +++ b/mysql-test/r/create_or_replace_permission.result @@ -0,0 +1,40 @@ +# +# Tests for checking permission denied on CREATE OR REPLACE if DROP +# access is revoked +# +# These statements do not need special tests for CREATE OR REPLACE, +# because they do not have separate permissions for create and drop: +# CREATE OR REPLACE EVENT (uses EVENT_ACL for both CREATE and DROP) +# CREATE OR DROP SERVER (uses SUPER_ALC for both CREATE and DROP) +# CREATE OR DROP TRIGGER (uses TRIGGER_ACL for both CREATE and DROP) +SELECT CURRENT_USER; +CURRENT_USER +root@localhost +CREATE DATABASE db1; +GRANT ALL ON db1.* TO mysqltest_1@localhost; +REVOKE DROP ON db1.* FROM mysqltest_1@localhost; +REVOKE ALTER ROUTINE ON db1.* FROM mysqltest_1@localhost; +GRANT DELETE ON mysql.* TO mysqltest_1@localhost; +REVOKE DELETE ON mysql.* FROM mysqltest_1@localhost; +FLUSH PRIVILEGES; +SELECT CURRENT_USER; +CURRENT_USER +mysqltest_1@localhost +CREATE DATABASE db1; +ERROR HY000: Can't create database 'db1'; database exists +CREATE OR REPLACE DATABASE db1; +ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'db1' +CREATE OR REPLACE DATABASE db2; +ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'db2' +USE db1; +CREATE OR REPLACE TABLE t1(id INT); +ERROR 42000: DROP command denied to user 'mysqltest_1'@'localhost' for table 't1' +SELECT CURRENT_USER; +CURRENT_USER +root@localhost +REVOKE ALL ON db1.* FROM mysqltest_1@localhost; +DROP DATABASE IF EXISTS db2; +Warnings: +Note 1008 Can't drop database 'db2'; database doesn't exist +DROP DATABASE db1; +DROP USER mysqltest_1@localhost; diff --git a/mysql-test/t/create_or_replace_permission.test b/mysql-test/t/create_or_replace_permission.test new file mode 100644 index 0000000000000..3bb72fba6afb9 --- /dev/null +++ b/mysql-test/t/create_or_replace_permission.test @@ -0,0 +1,67 @@ +# Grant tests not performed with embedded server +-- source include/not_embedded.inc + +--echo # +--echo # Tests for checking permission denied on CREATE OR REPLACE if DROP +--echo # access is revoked +--echo # + +--echo # These statements do not need special tests for CREATE OR REPLACE, +--echo # because they do not have separate permissions for create and drop: +--echo # CREATE OR REPLACE EVENT (uses EVENT_ACL for both CREATE and DROP) +--echo # CREATE OR DROP SERVER (uses SUPER_ALC for both CREATE and DROP) +--echo # CREATE OR DROP TRIGGER (uses TRIGGER_ACL for both CREATE and DROP) + +SELECT CURRENT_USER; +CREATE DATABASE db1; +GRANT ALL ON db1.* TO mysqltest_1@localhost; +REVOKE DROP ON db1.* FROM mysqltest_1@localhost; +REVOKE ALTER ROUTINE ON db1.* FROM mysqltest_1@localhost; +GRANT DELETE ON mysql.* TO mysqltest_1@localhost; +REVOKE DELETE ON mysql.* FROM mysqltest_1@localhost; +FLUSH PRIVILEGES; + +connect (user_a, localhost, mysqltest_1,,); +connection user_a; +SELECT CURRENT_USER; + +# mysqltest_1 has CREATE privilege on db1 +--error ER_DB_CREATE_EXISTS +CREATE DATABASE db1; + +# mysqltest_1 has no DROP privilege on db1 +--error ER_DBACCESS_DENIED_ERROR +CREATE OR REPLACE DATABASE db1; + +# mysqltest_1 has no any privileges on db2 +--error ER_DBACCESS_DENIED_ERROR +CREATE OR REPLACE DATABASE db2; + +USE db1; +--error ER_TABLEACCESS_DENIED_ERROR +CREATE OR REPLACE TABLE t1(id INT); + +#TODO: add this when "MDEV-5359 CREATE OR REPLACE..." is done +#DELIMITER $; +#--error ER_PROCACCESS_DENIED_ERROR +#CREATE OR REPLACE PROCEDURE proc1 (OUT cnt INT) BEGIN SELECT COUNT(*) INTO cnt FROM t1; END$ +#DELIMITER ;$ +# +#--error ER_DBACCESS_DENIED_ERROR +#CREATE OR REPLACE FUNCTION lookup RETURNS STRING SONAME "udf_example.so"; +# +#--error ER_PROCACCESS_DENIED_ERROR +#CREATE OR REPLACE FUNCTION hello(str char(20)) RETURNS TEXT RETURN CONCAT('Hello, ', str, '!'); +# +#--error ER_SPECIFIC_ACCESS_DENIED_ERROR +#CREATE OR REPLACE USER u1@localhost; +# +#--error ER_SPECIFIC_ACCESS_DENIED_ERROR +#CREATE OR REPLACE ROLE developer; + +connection default; +SELECT CURRENT_USER; +REVOKE ALL ON db1.* FROM mysqltest_1@localhost; +DROP DATABASE IF EXISTS db2; +DROP DATABASE db1; +DROP USER mysqltest_1@localhost; diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index ae8ab32a7ec35..5f16f153c8a0f 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -4298,7 +4298,9 @@ mysql_execute_command(THD *thd) } } #endif - if (check_access(thd, CREATE_ACL, lex->name.str, NULL, NULL, 1, 0)) + if (check_access(thd, lex->create_info.or_replace() ? + (CREATE_ACL | DROP_ACL) : CREATE_ACL, + lex->name.str, NULL, NULL, 1, 0)) break; WSREP_TO_ISOLATION_BEGIN(lex->name.str, NULL, NULL) res= mysql_create_db(thd, lex->name.str, lex->create_info, &create_info);