# Can't test with embedded server -- source include/not_embedded.inc # simple test of grants grant create view on test.* to test@localhost; show grants for test@localhost; revoke create view on test.* from test@localhost; show grants for test@localhost; # The grant above creates a new user test@localhost, delete it drop user test@localhost; # grant create view test # connect (root,localhost,root,,test); connection root; --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int); create table mysqltest.t2 (a int, b int); grant select on mysqltest.t1 to mysqltest_1@localhost; grant create view,select on test.* to mysqltest_1@localhost; connect (user1,localhost,mysqltest_1,,test); connection user1; -- error ER_SPECIFIC_ACCESS_DENIED create definer=root@localhost view v1 as select * from mysqltest.t1; create view v1 as select * from mysqltest.t1; # try to modify view without DROP privilege on it -- error 1142 alter view v1 as select * from mysqltest.t1; -- error 1142 create or replace view v1 as select * from mysqltest.t1; # no CRETE VIEW privilege -- error 1142 create view mysqltest.v2 as select * from mysqltest.t1; # no SELECT privilege -- error 1142 create view v2 as select * from mysqltest.t2; connection root; # check view definer information show create view v1; grant create view,drop,select on test.* to mysqltest_1@localhost; connection user1; # following 'use' command is workaround of bug #9582 and should be removed # when that bug will be fixed use test; alter view v1 as select * from mysqltest.t1; create or replace view v1 as select * from mysqltest.t1; connection root; revoke all privileges on mysqltest.t1 from mysqltest_1@localhost; revoke all privileges on test.* from mysqltest_1@localhost; drop database mysqltest; drop view test.v1; # # grants per columns # # MERGE algorithm --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int); create view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1; grant select (c) on mysqltest.v1 to mysqltest_1@localhost; connection user1; select c from mysqltest.v1; # there are no privileges on column 'd' -- error 1143 select d from mysqltest.v1; connection root; revoke all privileges on mysqltest.v1 from mysqltest_1@localhost; delete from mysql.user where user='mysqltest_1'; drop database mysqltest; # TEMPORARY TABLE algorithm --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int); create algorithm=temptable view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1; grant select (c) on mysqltest.v1 to mysqltest_1@localhost; connection user1; select c from mysqltest.v1; # there are no privileges on column 'd' -- error 1143 select d from mysqltest.v1; connection root; revoke all privileges on mysqltest.v1 from mysqltest_1@localhost; delete from mysql.user where user='mysqltest_1'; drop database mysqltest; # # EXPLAIN rights # connection root; --disable_warnings create database mysqltest; --enable_warnings #prepare views and tables create table mysqltest.t1 (a int, b int); create table mysqltest.t2 (a int, b int); create view mysqltest.v1 (c,d) as select a+1,b+1 from mysqltest.t1; create algorithm=temptable view mysqltest.v2 (c,d) as select a+1,b+1 from mysqltest.t1; create view mysqltest.v3 (c,d) as select a+1,b+1 from mysqltest.t2; create algorithm=temptable view mysqltest.v4 (c,d) as select a+1,b+1 from mysqltest.t2; grant select on mysqltest.v1 to mysqltest_1@localhost; grant select on mysqltest.v2 to mysqltest_1@localhost; grant select on mysqltest.v3 to mysqltest_1@localhost; grant select on mysqltest.v4 to mysqltest_1@localhost; connection user1; # all selects works select c from mysqltest.v1; select c from mysqltest.v2; select c from mysqltest.v3; select c from mysqltest.v4; # test of show coluns show columns from mysqltest.v1; show columns from mysqltest.v2; # but explain/show do not -- error 1345 explain select c from mysqltest.v1; -- error 1142 show create view mysqltest.v1; -- error 1345 explain select c from mysqltest.v2; -- error 1142 show create view mysqltest.v2; -- error 1345 explain select c from mysqltest.v3; -- error 1142 show create view mysqltest.v3; -- error 1345 explain select c from mysqltest.v4; -- error 1142 show create view mysqltest.v4; # allow to see one of underlying table connection root; grant select on mysqltest.t1 to mysqltest_1@localhost; connection user1; # EXPLAIN of view on above table works explain select c from mysqltest.v1; -- error 1142 show create view mysqltest.v1; explain select c from mysqltest.v2; -- error 1142 show create view mysqltest.v2; # but other EXPLAINs do not -- error 1345 explain select c from mysqltest.v3; -- error 1142 show create view mysqltest.v3; -- error 1345 explain select c from mysqltest.v4; -- error 1142 show create view mysqltest.v4; # allow to see any view in mysqltest database connection root; grant show view on mysqltest.* to mysqltest_1@localhost; connection user1; explain select c from mysqltest.v1; show create view mysqltest.v1; explain select c from mysqltest.v2; show create view mysqltest.v2; explain select c from mysqltest.v3; show create view mysqltest.v3; explain select c from mysqltest.v4; show create view mysqltest.v4; connection root; revoke all privileges on mysqltest.* from mysqltest_1@localhost; delete from mysql.user where user='mysqltest_1'; drop database mysqltest; # # UPDATE privileges on VIEW columns and whole VIEW # connection root; --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int, primary key(a)); insert into mysqltest.t1 values (10,2), (20,3), (30,4), (40,5), (50,10); create table mysqltest.t2 (x int); insert into mysqltest.t2 values (3), (4), (5), (6); create view mysqltest.v1 (a,c) as select a, b+1 from mysqltest.t1; create view mysqltest.v2 (a,c) as select a, b from mysqltest.t1; create view mysqltest.v3 (a,c) as select a, b+1 from mysqltest.t1; grant update (a) on mysqltest.v2 to mysqltest_1@localhost; grant update on mysqltest.v1 to mysqltest_1@localhost; grant select on mysqltest.* to mysqltest_1@localhost; connection user1; use mysqltest; # update with rights on VIEW column update t2,v1 set v1.a=v1.a+v1.c where t2.x=v1.c; select * from t1; update v1 set a=a+c; select * from t1; # update with rights on whole VIEW update t2,v2 set v2.a=v2.a+v2.c where t2.x=v2.c; select * from t1; update v2 set a=a+c; select * from t1; # no rights on column -- error 1143 update t2,v2 set v2.c=v2.a+v2.c where t2.x=v2.c; -- error 1143 update v2 set c=a+c; # no rights for view -- error 1142 update t2,v3 set v3.a=v3.a+v3.c where t2.x=v3.c; -- error 1142 update v3 set a=a+c; use test; connection root; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; # # DELETE privileges on VIEW # connection root; --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int, primary key(a)); insert into mysqltest.t1 values (1,2), (2,3), (3,4), (4,5), (5,10); create table mysqltest.t2 (x int); insert into mysqltest.t2 values (3), (4), (5), (6); create view mysqltest.v1 (a,c) as select a, b+1 from mysqltest.t1; create view mysqltest.v2 (a,c) as select a, b+1 from mysqltest.t1; grant delete on mysqltest.v1 to mysqltest_1@localhost; grant select on mysqltest.* to mysqltest_1@localhost; connection user1; use mysqltest; # update with rights on VIEW column delete from v1 where c < 4; select * from t1; delete v1 from t2,v1 where t2.x=v1.c; select * from t1; # no rights for view -- error 1142 delete v2 from t2,v2 where t2.x=v2.c; -- error 1142 delete from v2 where c < 4; use test; connection root; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; # # insert privileges on VIEW # connection root; --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int, primary key(a)); insert into mysqltest.t1 values (1,2), (2,3); create table mysqltest.t2 (x int, y int); insert into mysqltest.t2 values (3,4); create view mysqltest.v1 (a,c) as select a, b from mysqltest.t1; create view mysqltest.v2 (a,c) as select a, b from mysqltest.t1; grant insert on mysqltest.v1 to mysqltest_1@localhost; grant select on mysqltest.* to mysqltest_1@localhost; connection user1; use mysqltest; # update with rights on VIEW column insert into v1 values (5,6); select * from t1; insert into v1 select x,y from t2; select * from t1; # no rights for view -- error 1142 insert into v2 values (5,6); -- error 1142 insert into v2 select x,y from t2; use test; connection root; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; # # test of CREATE VIEW privileges if we have limited privileges # connection root; --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int); create table mysqltest.t2 (a int, b int); grant update on mysqltest.t1 to mysqltest_1@localhost; grant update(b) on mysqltest.t2 to mysqltest_1@localhost; grant create view,update on test.* to mysqltest_1@localhost; connection user1; create view v1 as select * from mysqltest.t1; create view v2 as select b from mysqltest.t2; # There are not rights on mysqltest.v1 -- error 1142 create view mysqltest.v1 as select * from mysqltest.t1; # There are not any rights on mysqltest.t2.a -- error 1143 create view v3 as select a from mysqltest.t2; # give CREATE VIEW privileges (without any privileges for result column) connection root; create table mysqltest.v3 (b int); grant create view on mysqltest.v3 to mysqltest_1@localhost; drop table mysqltest.v3; connection user1; create view mysqltest.v3 as select b from mysqltest.t2; # give UPDATE privileges connection root; grant create view, update on mysqltest.v3 to mysqltest_1@localhost; drop view mysqltest.v3; connection user1; create view mysqltest.v3 as select b from mysqltest.t2; # give UPDATE and INSERT privilege (to get more privileges then underlying # table) connection root; grant create view, update, insert on mysqltest.v3 to mysqltest_1@localhost; drop view mysqltest.v3; connection user1; -- error 1143 create view mysqltest.v3 as select b from mysqltest.t2; # If we would get more privileges on VIEW then we have on # underlying tables => creation prohibited connection root; create table mysqltest.v3 (b int); grant select(b) on mysqltest.v3 to mysqltest_1@localhost; drop table mysqltest.v3; connection user1; -- error 1143 create view mysqltest.v3 as select b from mysqltest.t2; # Expression need select privileges -- error 1143 create view v4 as select b+1 from mysqltest.t2; connection root; grant create view,update,select on test.* to mysqltest_1@localhost; connection user1; -- error 1143 create view v4 as select b+1 from mysqltest.t2; connection root; grant update,select(b) on mysqltest.t2 to mysqltest_1@localhost; connection user1; create view v4 as select b+1 from mysqltest.t2; connection root; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; drop view v1,v2,v4; # # user with global DB privileges # connection root; --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int); grant all privileges on mysqltest.* to mysqltest_1@localhost; connection user1; use mysqltest; create view v1 as select * from t1; use test; connection root; revoke all privileges on mysqltest.* from mysqltest_1@localhost; drop database mysqltest; # # view definer grants revoking # connection root; --disable_warnings create database mysqltest; --enable_warnings create table mysqltest.t1 (a int, b int); grant select on mysqltest.t1 to mysqltest_1@localhost; grant create view,select on test.* to mysqltest_1@localhost; connection user1; create view v1 as select * from mysqltest.t1; connection root; # check view definer information show create view v1; revoke select on mysqltest.t1 from mysqltest_1@localhost; -- error ER_VIEW_INVALID select * from v1; grant select on mysqltest.t1 to mysqltest_1@localhost; select * from v1; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop view v1; drop database mysqltest; # # rights on execution of view underlying functiond (BUG#9505) # connection root; --disable_warnings create database mysqltest; --enable_warnings use mysqltest; create table t1 (a int); insert into t1 values (1); create table t2 (s1 int); --disable_warnings drop function if exists f2; --enable_warnings delimiter //; create function f2 () returns int begin declare v int; select s1 from t2 into v; return v; end// delimiter ;// create algorithm=TEMPTABLE view v1 as select f2() from t1; create algorithm=MERGE view v2 as select f2() from t1; create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select f2() from t1; create algorithm=MERGE SQL SECURITY INVOKER view v4 as select f2() from t1; create SQL SECURITY INVOKER view v5 as select * from v4; grant select on v1 to mysqltest_1@localhost; grant select on v2 to mysqltest_1@localhost; grant select on v3 to mysqltest_1@localhost; grant select on v4 to mysqltest_1@localhost; grant select on v5 to mysqltest_1@localhost; connection user1; use mysqltest; select * from v1; select * from v2; -- error ER_VIEW_INVALID select * from v3; -- error ER_VIEW_INVALID select * from v4; -- error ER_VIEW_INVALID select * from v5; use test; connection root; drop view v1, v2, v3, v4, v5; drop function f2; drop table t1, t2; use test; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; # # revertion of previous test, definer of view lost his/her rights to execute # function # connection root; --disable_warnings create database mysqltest; --enable_warnings use mysqltest; create table t1 (a int); insert into t1 values (1); create table t2 (s1 int); --disable_warnings drop function if exists f2; --enable_warnings delimiter //; create function f2 () returns int begin declare v int; select s1 from t2 into v; return v; end// delimiter ;// grant select on t1 to mysqltest_1@localhost; grant execute on function f2 to mysqltest_1@localhost; grant create view on mysqltest.* to mysqltest_1@localhost; connection user1; use mysqltest; create algorithm=TEMPTABLE view v1 as select f2() from t1; create algorithm=MERGE view v2 as select f2() from t1; create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select f2() from t1; create algorithm=MERGE SQL SECURITY INVOKER view v4 as select f2() from t1; use test; connection root; create view v5 as select * from v1; revoke execute on function f2 from mysqltest_1@localhost; -- error ER_VIEW_INVALID select * from v1; -- error ER_VIEW_INVALID select * from v2; select * from v3; select * from v4; -- error ER_VIEW_INVALID select * from v5; drop view v1, v2, v3, v4, v5; drop function f2; drop table t1, t2; use test; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; # # definer/invoker rights for columns # connection root; --disable_warnings create database mysqltest; --enable_warnings use mysqltest; create table t1 (a int); create table v1 (a int); insert into t1 values (1); grant select on t1 to mysqltest_1@localhost; grant select on v1 to mysqltest_1@localhost; grant create view on mysqltest.* to mysqltest_1@localhost; drop table v1; connection user1; use mysqltest; create algorithm=TEMPTABLE view v1 as select *, a as b from t1; create algorithm=MERGE view v2 as select *, a as b from t1; create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select *, a as b from t1; create algorithm=MERGE SQL SECURITY INVOKER view v4 as select *, a as b from t1; create view v5 as select * from v1; use test; connection root; revoke select on t1 from mysqltest_1@localhost; -- error ER_VIEW_INVALID select * from v1; -- error ER_VIEW_INVALID select * from v2; select * from v3; select * from v4; -- error ER_VIEW_INVALID select * from v5; #drop view v1, v2, v3, v4, v5; drop table t1; use test; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; connection root; --disable_warnings create database mysqltest; --enable_warnings use mysqltest; create table t1 (a int); insert into t1 values (1); create algorithm=TEMPTABLE view v1 as select *, a as b from t1; create algorithm=MERGE view v2 as select *, a as b from t1; create algorithm=TEMPTABLE SQL SECURITY INVOKER view v3 as select *, a as b from t1; create algorithm=MERGE SQL SECURITY INVOKER view v4 as select *, a as b from t1; create SQL SECURITY INVOKER view v5 as select * from v4; grant select on v1 to mysqltest_1@localhost; grant select on v2 to mysqltest_1@localhost; grant select on v3 to mysqltest_1@localhost; grant select on v4 to mysqltest_1@localhost; grant select on v5 to mysqltest_1@localhost; connection user1; use mysqltest; select * from v1; select * from v2; -- error ER_VIEW_INVALID select * from v3; -- error ER_VIEW_INVALID select * from v4; -- error ER_VIEW_INVALID select * from v5; use test; connection root; drop view v1, v2, v3, v4, v5; drop table t1; use test; REVOKE ALL PRIVILEGES, GRANT OPTION FROM mysqltest_1@localhost; drop database mysqltest; # # BUG#14256: definer in view definition is not fully qualified # --disable_warnings drop view if exists v1; --enable_warnings # Backup anonymous users and remove them. (They get in the way of # the one we test with here otherwise.) create table t1 as select * from mysql.user where user=''; delete from mysql.user where user=''; flush privileges; # Create the test user grant all on test.* to 'test14256'@'%'; connect (test14256,localhost,test14256,,test); connection test14256; use test; create view v1 as select 42; show create view v1; select definer into @v1def1 from information_schema.views where table_schema = 'test' and table_name='v1'; drop view v1; create definer=`test14256`@`%` view v1 as select 42; show create view v1; select definer into @v1def2 from information_schema.views where table_schema = 'test' and table_name='v1'; drop view v1; select @v1def1, @v1def2, @v1def1=@v1def2; connection root; drop user test14256; # Restore the anonymous users. insert into mysql.user select * from t1; flush privileges; drop table t1; # # BUG#14726: freeing stack variable in case of an error of opening # a view when we have locked tables with LOCK TABLES statement. # connection root; --disable_warnings create database mysqltest; --enable_warnings use mysqltest; CREATE TABLE t1 (i INT); CREATE VIEW v1 AS SELECT * FROM t1; SHOW CREATE VIEW v1; GRANT SELECT, LOCK TABLES ON mysqltest.* TO mysqltest_1@localhost; connection user1; use mysqltest; LOCK TABLES v1 READ; -- error ER_TABLEACCESS_DENIED_ERROR SHOW CREATE TABLE v1; UNLOCK TABLES; use test; connection root; use test; drop user mysqltest_1@localhost; drop database mysqltest; # # switch to default connaction # disconnect user1; disconnect root; connection default; # # DEFINER information check # create definer=some_user@`` sql security invoker view v1 as select 1; create definer=some_user@localhost sql security invoker view v2 as select 1; show create view v1; show create view v2; drop view v1; drop view v2; # # BUG#14875: Bad view DEFINER makes SHOW CREATE VIEW fail # CREATE TABLE t1 (a INT PRIMARY KEY); INSERT INTO t1 VALUES (1), (2), (3); CREATE DEFINER = 'no-such-user'@localhost VIEW v AS SELECT a from t1; --warning 1448 SHOW CREATE VIEW v; --error 1449 SELECT * FROM v; DROP VIEW v; DROP TABLE t1; USE test;