Bug #17522 MTK not generating SQL SECURITY clauses
Submitted: 17 Feb 2006 12:17 Modified: 11 Feb 16:00
Reporter: Kristian Koehntopp
Status: Verified
Category:MySQL Workbench Severity:S4 (Feature request)
Version:1.0.23, 1.1.16 OS:Microsoft Windows (Windows)
Assigned to: Target Version:WB60
Triage: Triaged: D2 (Serious) / R3 (Medium) / E3 (Medium)

[17 Feb 2006 12:17] Kristian Koehntopp 
Description:
When porting VIEWS, MTK does not generate SQL SECURITY INVOKER clauses. The default for
missing SQL SECURITY clauses is SQL SECURITY DEFINER, so all VIEW will ultimately run by
default as the user who did the migration, often "root".

This is even more important when MTK migrates FUNCTIONS, PROCEDURES and TRIGGERS
sometimes.

How to repeat:
Run a migration with VIEWS, SHOW CREATE VIEW ... the resulting view.

Suggested fix:
Generate SQL SECURITY INVOKER clauses by default.
Actually look at the source definitions, and if the source view has SQL SECURITY like
information try to port it. Also port DEFINER information, if possible (requires
migration of grant tables as well!).
[11 Feb 16:00] Susanne Ebrecht 
Many thanks for pointing this out.

Because this is a security risk this is a bug and not just a feature.

Verified as described by using actual version.