MDEV-9580 SHOW GRANTS FOR <current_user> fails

use get_current_user() to distinguish user name without
a hostname and a role name.

move privilege checks inside mysql_show_grants() to remove
duplicate get_current_user() calls

mysql-test/r/grant5.result

@@ -1,2 +1,18 @@
 SHOW GRANTS FOR root@invalid_host;
 ERROR 42000: There is no such grant defined for user 'root' on host 'invalid_host'
+create user test;
+create user foo;
+create role foo;
+grant foo to test;
+set role foo;
+show grants for test;
+Grants for test@%
+GRANT foo TO 'test'@'%'
+GRANT USAGE ON *.* TO 'test'@'%'
+show grants for foo;
+Grants for foo
+GRANT USAGE ON *.* TO 'foo'
+show grants for foo@'%';
+ERROR 42000: Access denied for user 'test'@'%' to database 'mysql'
+drop user test, foo;
+drop role foo;

mysql-test/t/grant5.test

@@ -5,3 +5,21 @@
 #
 --error ER_NONEXISTING_GRANT
 SHOW GRANTS FOR root@invalid_host;
+
+#
+# MDEV-9580 SHOW GRANTS FOR <current_user> fails
+#
+create user test;
+create user foo;
+create role foo;
+grant foo to test;
+--connect (conn_1, localhost, test,,)
+set role foo;
+show grants for test; # user
+show grants for foo;  # role
+--error ER_DBACCESS_DENIED_ERROR
+show grants for foo@'%'; # user
+--connection default
+drop user test, foo;
+drop role foo;
+

sql/sql_acl.cc

@@ -7559,9 +7559,6 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
     DBUG_RETURN(TRUE);
   }
 
-  mysql_rwlock_rdlock(&LOCK_grant);
-  mysql_mutex_lock(&acl_cache->lock);
-
   if (lex_user->user.str == current_user.str)
   {
     username= thd->security_ctx->priv_user;
@@ -7579,23 +7576,28 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
   }
   else
   {
-    lex_user= get_current_user(thd, lex_user, false);
+    Security_context *sctx= thd->security_ctx;
+    bool do_check_access;
+
+    lex_user= get_current_user(thd, lex_user);
     if (!lex_user)
-    {
-      mysql_mutex_unlock(&acl_cache->lock);
-      mysql_rwlock_unlock(&LOCK_grant);
       DBUG_RETURN(TRUE);
-    }
 
     if (lex_user->is_role())
     {
       rolename= lex_user->user.str;
+      do_check_access= strcmp(rolename, sctx->priv_role);
     }
     else
     {
       username= lex_user->user.str;
       hostname= lex_user->host.str;
+      do_check_access= strcmp(username, sctx->priv_user) ||
+                       strcmp(hostname, sctx->priv_host);
     }
+
+    if (do_check_access && check_access(thd, SELECT_ACL, "mysql", 0, 0, 1, 0))
+      DBUG_RETURN(TRUE);
   }
   DBUG_ASSERT(rolename || username);
 
@@ -7610,12 +7612,10 @@ bool mysql_show_grants(THD *thd, LEX_USER *lex_user)
   field_list.push_back(field);
   if (protocol->send_result_set_metadata(&field_list,
                                          Protocol::SEND_NUM_ROWS | Protocol::SEND_EOF))
-  {
-    mysql_mutex_unlock(&acl_cache->lock);
-    mysql_rwlock_unlock(&LOCK_grant);
-
     DBUG_RETURN(TRUE);
-  }
+
+  mysql_rwlock_rdlock(&LOCK_grant);
+  mysql_mutex_lock(&acl_cache->lock);
 
   if (username)
   {

sql/sql_parse.cc

@@ -4374,21 +4374,10 @@ case SQLCOM_PREPARE:
   case SQLCOM_SHOW_GRANTS:
   {
     LEX_USER *grant_user= lex->grant_user;
-    Security_context *sctx= thd->security_ctx;
     if (!grant_user)
       goto error;
 
-    if (grant_user->user.str && !strcmp(sctx->priv_user, grant_user->user.str) &&
-        grant_user->host.str && !strcmp(sctx->priv_host, grant_user->host.str))
-      grant_user->user= current_user;
-
-    if (grant_user->user.str == current_user.str ||
-        grant_user->user.str == current_role.str ||
-        grant_user->user.str == current_user_and_current_role.str ||
-        !check_access(thd, SELECT_ACL, "mysql", NULL, NULL, 1, 0))
-    {
-      res = mysql_show_grants(thd, grant_user);
-    }
+    res = mysql_show_grants(thd, grant_user);
     break;
   }
 #endif