Bug #5148 Views: ALTER VIEW leads to privilege problems and crashes
Submitted: 23 Aug 2004 0:32 Modified: 8 Oct 2004 9:15
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.2-alpha-debug OS:Linux (SuSE 8.2)
Assigned to: Oleksandr Byelkin CPU Architecture:Any

[23 Aug 2004 0:32] Peter Gulutzan 
Description:
MySQL allows ALTER VIEW. This is not standard. 
And it leads to trouble. Here are two kinds of trouble. 
 
1. Privilege problems. 
User root grants CREATE VIEW privileges to alice. 
User root grants UPDATE (on view v) privilege to alice. 
Alice says ALTER VIEW -- accessing a table which she has no rights to. 
Alice can now use view v to see what's in the table she has no rights to. 
 
2. Crashes. 
To make MySQL go into an infinite loop, 
all I have to do is make a view A that 
depends on view B, then alter view B 
so that it depends on view A. 

How to repeat:
mysql> create table t (s1 int); 
ERROR 1050 (42S01): Table 't' already exists 
mysql> create view v1 as select * from t; 
Query OK, 0 rows affected (0.00 sec) 
 
mysql> create view v2 as select * from v1; 
Query OK, 0 rows affected (0.01 sec) 
 
mysql> alter view v1 as select * from v2; 
Query OK, 0 rows affected (0.00 sec) 
 
mysql> show create table v1; 
 
 

Suggested fix:
Don't support ALTER VIEW! It's dangerous and nobody needs it. 
Also: I can create view v1 based on t, create view v2 based on v1, 
drop v1, then create view v1 again, provided I have the same 
column names as before. This leads to similar trouble.
[7 Oct 2004 12:44] Oleksandr Byelkin 
ChangeSet 
  1.1637 04/10/07 15:43:04 bell@sanja.is.com.ua +8 -0 
  test of DELETE privilege and cyclic reference added in case of altering view (BUG#5148) 
  fixed ALTER VIEW syntax 
  fixed WITH CHECK OPTION clause printing in SHOW CREATE VIEW
[8 Oct 2004 9:15] Oleksandr Byelkin 
Thank you for bugreport! bugfix is pushed into our source repository