1 files changed, 4 insertions, 5 deletions

diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index 7bde0b03232..2d6acc1a07b 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -1393,6 +1393,7 @@ bool mysqld_show_create_db(THD *thd, LEX_CSTRING *dbname,
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
   Security_context *sctx= thd->security_ctx;
   privilege_t db_access(NO_ACL);
+  privilege_t deny_mask= acl_get_effective_deny_mask(sctx, *dbname);
 #endif
   Schema_specification_st create;
   Protocol *protocol=thd->protocol;
@@ -1405,9 +1406,9 @@ bool mysqld_show_create_db(THD *thd, LEX_CSTRING *dbname,
   else
     db_access= sctx->master_access |
                  acl_get_current_auth(sctx, dbname->str, false);
+  db_access&= ~deny_mask;
 
-  // TODO(cvicentiu) Denies...
-  if (!(db_access & DB_ACLS) && check_grant_db(sctx, dbname->str, NO_ACL))
+  if (!(db_access & DB_ACLS) && check_grant_db(sctx, dbname->str, deny_mask))
   {
     status_var_increment(thd->status_var.access_denied_errors);
     my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
@@ -5432,9 +5433,7 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond)
       continue;
     }
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-    privilege_t deny_mask= NO_ACL;
-    if (sctx->denies_active)
-      deny_mask= acl_get_effective_deny_mask(sctx, *db_name);
+    privilege_t deny_mask= acl_get_effective_deny_mask(sctx, *db_name);
 
     if ((sctx->master_access & ~deny_mask) & (DB_ACLS | SHOW_DB_ACL) ||
         (acl_get_current_auth(sctx, db_name->str, false) & ~deny_mask)||