Bug #9505 Views: privilege needed on underlying function
Submitted: 31 Mar 2005 0:32 Modified: 31 Oct 2005 19:28
Reporter: Peter Gulutzan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.4-beta-debug OS:Linux (SUSE 9.2)
Assigned to: Oleksandr Byelkin CPU Architecture:Any

[31 Mar 2005 0:32] Peter Gulutzan
Description:
If I have SELECT privilege on a view, I should not need EXECUTE privilege on the view's underlying function(s). But I do.

This bug will be easier to reproduce after bug#8137 is fixed.

How to repeat:
As user root, say:

mysql> delimiter //
mysql> create database db36//
Query OK, 1 row affected (0.00 sec)

mysql> use db36//
Database changed

mysql> create table t1 (s1 int)//
Query OK, 0 rows affected (0.01 sec)

mysql> grant select on t1 to user21@localhost//
Query OK, 0 rows affected (0.00 sec)

As user user21@localhost (on another shell and another copy of mysql client), say:

mysql> use db36;
Reading table information for completion of table and column names ...

As user root, say:

mysql> create table t2 (s1 int)//
Query OK, 0 rows affected (0.00 sec)

mysql> create function f2 () returns int begin declare v int; select s1 from t2 into v; return v; end//
Query OK, 0 rows affected (0.00 sec)

mysql> create view v2 as select f2()//
Query OK, 0 rows affected (0.00 sec)

mysql> grant select on v2 to user21@localhost//
Query OK, 0 rows affected (0.00 sec)

As user user21@localhost, say:

mysql> select * from v2;
ERROR 1370 (42000): execute command denied to user 'user21'@'localhost' for routine 'db36.f2'
[1 Jul 2005 9:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/26580
[3 Jul 2005 20:21] Michael Widenius
Basic patch is ok, but the following needs yet to be done:
- Check during view create time that the creator of the view has right to execute the functions
- Add tests that shows that one can't create a view with a function that one doesn't have execute permission to
Same goes for prepared statements:
- Add example of preparation in PS statement with SP on which you have not rights
[18 Sep 2005 23:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/30026
[27 Oct 2005 21:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/internals/31583
[28 Oct 2005 12:04] Oleksandr Byelkin
Thank you for bugreport!
Bugfix pushed to the 5.0.16 tree
[31 Oct 2005 19:28] Paul Dubois
Noted in 5.0.16 changelog.