Bug #26813 | Super privilege required when altering a view | ||
---|---|---|---|
Submitted: | 3 Mar 2007 0:18 | Modified: | 4 Apr 2007 4:28 |
Reporter: | Omer Barnir (OCA) | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 5.0.36 | OS: | Linux (Linux/ All) |
Assigned to: | Evgeny Potemkin | CPU Architecture: | Any |
[3 Mar 2007 0:18]
Omer Barnir
[3 Mar 2007 0:19]
Omer Barnir
Observed on Linux (Suse 10.1) but likely to be generic
[3 Mar 2007 0:20]
Omer Barnir
mysqltest test case
Attachment: bug26813.test (application/octet-stream, text), 1.12 KiB.
[22 Mar 2007 14:39]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/22646 ChangeSet@1.2486, 2007-03-22 17:35:48+03:00, evgen@moonbone.local +3 -0 Bug#26813: The SUPER privilege is wrongly required to alter a view created by another user. When the DEFINER clause isn't specified in the ALTER statement then it's loaded from the view definition. If the definer differs from the current user then the error is thrown because only a super-user can set other users as a definers. Now if the DEFINER clause is omitted in the ALTER VIEW statement then the definer from the original view is used without a check.
[22 Mar 2007 19:07]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/22681 ChangeSet@1.2486, 2007-03-22 22:05:19+03:00, evgen@moonbone.local +3 -0 Bug#26813: The SUPER privilege is wrongly required to alter a view created by another user. When the DEFINER clause isn't specified in the ALTER statement then it's loaded from the view definition. If the definer differs from the current user then the error is thrown because only a super-user can set other users as a definers. Now if the DEFINER clause is omitted in the ALTER VIEW statement then the definer from the original view is used without check.
[22 Mar 2007 20:15]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/22697 ChangeSet@1.2495, 2007-03-22 23:13:40+03:00, evgen@moonbone.local +1 -0 sql_view.cc: Post-fix for bug#26813.
[23 Mar 2007 13:53]
Alexey Botchkov
Pushed in 5.0.40 and 5.1.18
[4 Apr 2007 4:28]
Paul DuBois
Noted in 5.0.40, 5.1.18 changelogs. ALTER VIEW requires the CREATE VIEW and DROP privileges for the view. However, if the view was created by another user, the server erroneously required the SUPER privilege.