Bug #8887 TRIGGERS: Create trigger succeeds even when user does not have SELECT privilege
Submitted: 2 Mar 2005 12:34 Modified: 22 Dec 2005 21:52
Reporter: Disha Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.2 OS:Windows (Windows Server 2003)
Assigned to: Assigned Account CPU Architecture:Any

[2 Mar 2005 12:34] Disha 
Description:
When a user tries to create a TRIGGER with contruct 'SET <target>= OLD.col_name' in the Trigger definition SUCCEEDS even when the user does not have SELECT privileges on the referenced column i.e.'col_name'

Test case : 	
3.5.3 - #8 Ensure that use of the construct "SET <target> = NEW.<column name>" fails at CREATE TRIGGER time, if the current user does not have the SELECT privilege on the column specified.

How to repeat:
Repro Steps : 	

1. Create a database test1;

2. Use test1;	

3. Create table 't1' with fields 'f1' and 'f2' by executing the following SQL statement:

	CREATE TABLE t1 (f1 INT, f2 INT);

4. Insert into t1 values (1,1),(2,2),(3,3);
		
5. Create User 'Test_User1';

6. Grant SELECT(f2) on test1.* to 'Test_user1';
		
7. Grant SUPER on *.* to 'Test_user1';

8. Flush Privileges;

9. Reconnect to the MySQL server with the credentials of 'Test_user1'

10. Use Test1;

11. Select f1 from t1;

12.Try to create a trigger with the following definition:

	Create Trigger TRG1 before delete on t1 for each row SET @var1=OLD.f1;

Expected Results :  The SELECT statement in Step 11 should fail as the user does not have SELECT permission and also the TRIGGER creation in Step 12 should subsequently fail.
		

Actual Results :    The SELECT statement in Step 11 fails as expected but, the TRIGGER creation succeeds without any errors.
[22 Dec 2005 21:52] Alexander Nozdrin 
This problem is addressed by the following bug reports:
  - BUG#15166: Wrong update permissions required to execute triggers
  - Bug #15196: Wrong select permission required to execute triggers