Bug #47718 SHOW VIEW without SELECT privileges lets a user see a view definition
Submitted: 29 Sep 2009 15:11 Modified: 3 Dec 2010 9:43
Reporter: Martin Hansson Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.0+ OS:Any
Assigned to: Assigned Account CPU Architecture:Any

[29 Sep 2009 15:11] Martin Hansson 
Description:
According to the manual SHOW VIEW and SELECT privileges are necessary to display a view definition. But only SHOW VIEW appears to suffice.

How to repeat:
see attached test case.
[29 Sep 2009 15:11] Martin Hansson 
Failing test case

Attachment: bug.test (application/octet-stream, text), 390 bytes.
[29 Sep 2009 16:55] MySQL Verification Team 
Thank you for the bug report.
[2 Dec 2010 22:14] Sveta Smirnova 
See also bug #58677
[3 Dec 2010 9:43] Guilhem Bichot 
This was fixed in 5.5 as part of BUG#27145, which has commit comment:
"      The patch also fixes privilege checks for:
...
       - SHOW CREATE VIEW: Requires SHOW_VIEW and SELECT on the table level
       (just as the manual claims)"

I verified that the testcase passes in 5.5 and fails in 5.1.