Bug #12812 create view calling a function works without execute right on function
Submitted: 25 Aug 2005 17:47 Modified: 23 Sep 2005 18:09
Reporter: Matthias Leich Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S3 (Non-critical)
Version:5.0 OS:
Assigned to: Evgeny Potemkin CPU Architecture:Any

[25 Aug 2005 17:47] Matthias Leich
Description:
Testcase initiated by Trudy:

There is a function db_test1.test_func1
owned by    root'@'localhost .
The low privileged user    test_user'@'localhost
has no EXECUTE privilege for this function.

test_user'@'localhost     should be not able 
to create a view calling this function.

Unfortunately the CREATE VIEW statement
does not fail.

My environment:
   - Intel PC with Linux(SuSE 9.3)
   - MySQL compiled from source
        Version 5.0 ChangeSet@1.1906, 2005-08-23

How to repeat:
Please use the attached testcase ml063.test.

  copy it to mysql-test/t
  echo "Dummy" > r/ml063.result   # Produce a dummy file with 
                                                   # expected results
  ./mysql-test-run ml063
   inspect r/ml063.reject
[25 Aug 2005 17:48] Matthias Leich
testcase

Attachment: ml063.test (application/test, text), 1.38 KiB.

[13 Sep 2005 21:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/29771
[19 Sep 2005 22:00] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/30070
[19 Sep 2005 23:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/30071
[20 Sep 2005 18:28] Evgeny Potemkin
Execution rigths on function was checked just before function execution,
  thus it was unknown on prepare stage whether user have right to execute 
  particular function.

Fixed in 5.0.14, cset 1.1926.1.1
[23 Sep 2005 18:09] Paul DuBois
Noted in 5.0.14 changelog.
[16 Oct 2005 18:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/31149