From b9ddeeff241071e484548f0765a6b7c799dee439 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Fri, 27 Jun 2014 09:32:55 +0200
Subject: [PATCH] MDEV-6401 SET ROLE returning ERROR 1959 Invalid role
 specification for valid role

Use user's ip address when verifying privileges for SET ROLE (just like check_access() does)
---
 mysql-test/suite/roles/ip-6401.result | 13 +++++++++++++
 mysql-test/suite/roles/ip-6401.test   | 13 +++++++++++++
 sql/sql_acl.cc                        |  4 ++--
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 mysql-test/suite/roles/ip-6401.result
 create mode 100644 mysql-test/suite/roles/ip-6401.test

diff --git a/mysql-test/suite/roles/ip-6401.result b/mysql-test/suite/roles/ip-6401.result
new file mode 100644
index 00000000000..a9876eb8273
--- /dev/null
+++ b/mysql-test/suite/roles/ip-6401.result
@@ -0,0 +1,13 @@
+create role r1;
+create user foo@'127.0.0.1';
+grant r1 to foo@'127.0.0.1';
+show grants;
+Grants for foo@127.0.0.1
+GRANT r1 TO 'foo'@'127.0.0.1'
+GRANT USAGE ON *.* TO 'foo'@'127.0.0.1'
+set role r1;
+select * from information_schema.enabled_roles;
+ROLE_NAME
+r1
+drop user foo@'127.0.0.1';
+drop role r1;
diff --git a/mysql-test/suite/roles/ip-6401.test b/mysql-test/suite/roles/ip-6401.test
new file mode 100644
index 00000000000..34d8553afa3
--- /dev/null
+++ b/mysql-test/suite/roles/ip-6401.test
@@ -0,0 +1,13 @@
+--source include/not_embedded.inc
+create role r1;
+create user foo@'127.0.0.1';
+grant r1 to foo@'127.0.0.1';
+
+--connect (con1,127.0.0.1,foo,,)
+show grants;
+set role r1;
+select * from information_schema.enabled_roles;
+
+connection default;
+drop user foo@'127.0.0.1';
+drop role r1;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index c371cd42ade..abc53687ee0 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -300,7 +300,7 @@ public:
 
   bool eq(const char *user2, const char *host2) { return !cmp(user2, host2); }
 
-  bool wild_eq(const char *user2, const char *host2, const char *ip2 = 0)
+  bool wild_eq(const char *user2, const char *host2, const char *ip2)
   {
     if (strcmp(safe_str(user.str), safe_str(user2)))
       return false;
@@ -1883,7 +1883,7 @@ int acl_check_setrole(THD *thd, char *rolename, ulonglong *access)
     acl_user= (ACL_USER *)acl_user_base;
     /* Yes! priv_user@host. Don't ask why - that's what check_access() does. */
     if (acl_user->wild_eq(thd->security_ctx->priv_user,
-                          thd->security_ctx->host))
+                          thd->security_ctx->host, thd->security_ctx->ip))
     {
       is_granted= TRUE;
       break;