Bug #10386 A user session continues to function though the user is deleted.
Submitted: 5 May 2005 13:11 Modified: 6 May 2005 6:02
Reporter: Disha Email Updates:
Status: Closed Impact on me:
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.4 Beta OS:Microsoft Windows (Windows 2003)
Assigned to: Jon Stephens CPU Architecture:Any

[5 May 2005 13:11] Disha
If a user is connected to the server and the user account is deleted from another session, the user session continues to function. In this case the user can create tables and can insert values in to the tables created by others.

How to repeat:
1. SESSION 1: Start the MySQL client and connect to the database with root user. We will call this session 1.
2. Set the delimiter to //
3. Create a database and a user and grant all privileges to the user on the database:

   create database db101//
   create user user101 identified by 'test'//
   grant all privileges on db101.* to user101//

4. SESSION 2: Once the user is created open another command line client and login with that user in this case user101 (we will call this session 2) and run the following commands.

   delimiter //
   user db101//
   create table tb101(f1 char(100))//
   insert into tb101 values('a')//

5. Now from SESSION 1 delete the user and flush privileges as follows:

   drop user user101//
   flush privileges//

6. Now from SESSION 2 try the following:
   a. insert into tb101 values('a')//
   b. create table tb102(f1 char(100))//

Expected Results: 
1. The user should not be able to insert values in the table or crate another table//

Actual Results: 
1. The user can insert values in the table and can also create another table.
2. Additionally if we create a table form SESSION 1 the user can even insert values in newly created table from SESSION 2.
[5 May 2005 13:43] Trudy Pelzer
This is not a bug, but expected behaviour. At 
the moment, the DROP USER statement deletes 
the user and all associated privileges, but the 
effect is felt only once the user in question closes
his/her session.

The DROP USER <user> DISCONNECT statement,
when implemented, will also immediately close
any open sessions for the user being dropped.
[6 May 2005 6:02] Jon Stephens
Updated documentation per Trudy; bug closed.