Bug #7291 Stored procedures: wrong CURRENT_USER value
Submitted: 14 Dec 2004 17:35 Modified: 17 Jul 2005 0:47
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.3-alpha-debug OS:Linux (SUSE 9.2)
Assigned to: Oleksandr Byelkin CPU Architecture:Any

[14 Dec 2004 17:35] Peter Gulutzan
Description:
If a stored procedure characteristic is SQL SECURITY DEFINER, 
then CURRENT_USER should be the "routine authorization" user, 
which in MySQL's case is the creator of the procedure. 
But instead, CURRENT_USER is the user who CALLs the procedure. 
 

How to repeat:
As user root, say: 
 
mysql> create procedure p () sql security definer select current_user; 
Query OK, 0 rows affected (0.05 sec) 
 
As user pierre, who has been granted ALL PRIVILEGES in the database 
that procedure p is in, say: 
 
mysql> call p(); 
+--------------+ 
| current_user | 
+--------------+ 
| pierre@%     | 
+--------------+ 
1 row in set (0.00 sec) 
 
Query OK, 0 rows affected (0.00 sec)
[14 Jul 2005 9:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/27055
[15 Jul 2005 16:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/27185
[15 Jul 2005 20:22] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/27193
[15 Jul 2005 21:02] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/27198
[16 Jul 2005 5:40] Oleksandr Byelkin
pushed to 5.0.10
[17 Jul 2005 0:47] Paul Dubois
Noted in 5.0.10 changelog.