Added more tests to grant2. Fixed some previous tests.

Added new logic to ACL system:

1) If GRANT OPTION (not mysql db):
   Ok to update existing user, but not password.
   Not allowed to make a new user.

2) If UPDATE_ACL to mysql DB:
   Ok to update current user, but not make a new one.

3) If INSERT_ACL to mysql DB:
   Ok to add a new user, but not modify existing.

4) If GRANT OPTION to mysql DB:
   All modifications OK.


mysql-test/r/grant2.result:
  Added more ACL tests and fixed results in some old tests.
mysql-test/t/grant2.test:
  Added more ACL tests and fixed results in some old tests.
sql/sql_acl.h:
  Made check_acl_user() visible to sql_parse.cc
sql/sql_parse.cc:
  Added new logic to ACL system:
  
  1) If GRANT OPTION (not mysql db):
     Ok to update existing user, but not password.
     Not allowed to make a new user.
  
  2) If UPDATE_ACL to mysql DB:
     Ok to update current user, but not make a new one.
  
  3) If INSERT_ACL to mysql DB:
     Ok to add a new user, but not modify existing.
  
  4) If GRANT OPTION to mysql DB:
     All modifications OK.

mysql-test/r/grant2.result

@@ -5,6 +5,23 @@ delete from mysql.db where user like 'mysqltest\_%';
 delete from mysql.tables_priv where user like 'mysqltest\_%';
 delete from mysql.columns_priv where user like 'mysqltest\_%';
 flush privileges;
+grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
+create user mysqltest_2@localhost;
+grant select on `my\_1`.* to mysqltest_2@localhost;
+grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
+ERROR 42000: You must have privileges to update tables in the mysql database to be able to change passwords for others
+grant update on mysql.* to mysqltest_1@localhost;
+grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
+grant select on `my\_1`.* to mysqltest_3@localhost;
+ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
+grant insert on mysql.* to mysqltest_1@localhost;
+grant select on `my\_1`.* to mysqltest_3@localhost;
+grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
+delete from mysql.user where user like 'mysqltest\_%';
+delete from mysql.db where user like 'mysqltest\_%';
+delete from mysql.tables_priv where user like 'mysqltest\_%';
+delete from mysql.columns_priv where user like 'mysqltest\_%';
+flush privileges;
 grant all privileges on `my\_%`.* to mysqltest_1@localhost with grant option;
 select current_user();
 current_user()
@@ -13,6 +30,7 @@ select current_user;
 current_user
 mysqltest_1@localhost
 grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
+ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
 grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
 ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'my_%'
 set @@sql_mode='NO_AUTO_CREATE_USER';
@@ -23,15 +41,13 @@ grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
 ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
 grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
 with grant option;
-ERROR 42000: Access denied for user 'mysqltest_1'@'localhost' to database 'mysql'
+ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
 show grants for mysqltest_1@localhost;
 Grants for mysqltest_1@localhost
 GRANT USAGE ON *.* TO 'mysqltest_1'@'localhost'
 GRANT ALL PRIVILEGES ON `my\_%`.* TO 'mysqltest_1'@'localhost' WITH GRANT OPTION
 show grants for mysqltest_2@localhost;
-Grants for mysqltest_2@localhost
+ERROR 42000: There is no such grant defined for user 'mysqltest_2' on host 'localhost'
-GRANT USAGE ON *.* TO 'mysqltest_2'@'localhost'
-GRANT ALL PRIVILEGES ON `my\_1`.* TO 'mysqltest_2'@'localhost' WITH GRANT OPTION
 show grants for mysqltest_3@localhost;
 ERROR 42000: There is no such grant defined for user 'mysqltest_3' on host 'localhost'
 delete from mysql.user where user like 'mysqltest\_%';
@@ -61,9 +77,9 @@ flush privileges;
 create table t1 (a int, b int);
 grant select (a) on t1 to mysqltest_1@localhost with grant option;
 grant select (a,b) on t1 to mysqltest_2@localhost;
-ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for column 'b' in table 't1'
+ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
 grant select on t1 to mysqltest_3@localhost;
-ERROR 42000: SELECT command denied to user 'mysqltest_1'@'localhost' for table 't1'
+ERROR 42000: 'mysqltest_1'@'localhost' is not allowed to create new users
 drop table t1;
 delete from mysql.user where user like 'mysqltest\_%';
 delete from mysql.db where user like 'mysqltest\_%';

mysql-test/t/grant2.test

@@ -17,6 +17,36 @@ delete from mysql.columns_priv where user like 'mysqltest\_%';
 flush privileges;
 
 
+grant all privileges on `my\_1`.* to mysqltest_1@localhost with grant option;
+create user mysqltest_2@localhost;
+connect (user_a,localhost,mysqltest_1,,);
+connection user_a;
+grant select on `my\_1`.* to mysqltest_2@localhost;
+--error 1132
+grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
+disconnect user_a;
+connection default;
+grant update on mysql.* to mysqltest_1@localhost;
+connect (user_b,localhost,mysqltest_1,,);
+connection user_b;
+grant select on `my\_1`.* to mysqltest_2@localhost identified by 'pass';
+--error 1211
+grant select on `my\_1`.* to mysqltest_3@localhost;
+disconnect user_b;
+connection default;
+grant insert on mysql.* to mysqltest_1@localhost;
+connect (user_c,localhost,mysqltest_1,,);
+connection user_c;
+grant select on `my\_1`.* to mysqltest_3@localhost;
+grant select on `my\_1`.* to mysqltest_4@localhost identified by 'pass';
+disconnect user_c;
+connection default;
+delete from mysql.user where user like 'mysqltest\_%';
+delete from mysql.db where user like 'mysqltest\_%';
+delete from mysql.tables_priv where user like 'mysqltest\_%';
+delete from mysql.columns_priv where user like 'mysqltest\_%';
+flush privileges;
+
 #
 # wild_compare fun
 #
@@ -26,9 +56,11 @@ connect (user1,localhost,mysqltest_1,,);
 connection user1;
 select current_user();
 select current_user;
+--error 1211
 grant all privileges on `my\_1`.* to mysqltest_2@localhost with grant option;
 --error 1044
 grant all privileges on `my_%`.* to mysqltest_3@localhost with grant option;
+
 #
 # NO_AUTO_CREATE_USER mode
 #
@@ -36,12 +68,13 @@ set @@sql_mode='NO_AUTO_CREATE_USER';
 select @@sql_mode;
 --error 1211
 grant select on `my\_1`.* to mysqltest_4@localhost with grant option;
---error 1044
+--error 1211
 grant select on `my\_1`.* to mysqltest_4@localhost identified by 'mypass'
 with grant option;
 disconnect user1;
 connection default;
 show grants for mysqltest_1@localhost;
+--error 1141
 show grants for mysqltest_2@localhost;
 --error 1141
 show grants for mysqltest_3@localhost;
@@ -83,9 +116,9 @@ create table t1 (a int, b int);
 grant select (a) on t1 to mysqltest_1@localhost with grant option;
 connect (mrugly, localhost, mysqltest_1,,mysqltest);
 connection mrugly;
---error 1143
+--error 1211
 grant select (a,b) on t1 to mysqltest_2@localhost;
---error 1142
+--error 1211
 grant select on t1 to mysqltest_3@localhost;
 disconnect mrugly;
 

sql/sql_acl.h

@@ -190,6 +190,8 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table, List <LEX_USER> &user_list,
 bool mysql_procedure_grant(THD *thd, TABLE_LIST *table, 
 			   List <LEX_USER> &user_list, ulong rights,
 			   bool revoke, bool no_error);
+ACL_USER *check_acl_user(LEX_USER *user_name,
+			 uint *acl_acl_userdx);
 my_bool grant_init(THD *thd);
 void grant_free(void);
 void grant_reload(THD *thd);

sql/sql_parse.cc

@@ -3629,18 +3629,36 @@ unsent_create_error:
     if (thd->user)				// If not replication
     {
       LEX_USER *user;
+      uint counter;
+
       List_iterator <LEX_USER> user_list(lex->users_list);
       while ((user=user_list++))
       {
-	if (user->password.str &&
+	if (strcmp(thd->user, user->user.str) ||
-	    (strcmp(thd->user, user->user.str) ||
 	    user->host.str &&
 	    my_strcasecmp(system_charset_info,
-			   user->host.str, thd->host_or_ip)))
+			  user->host.str, thd->host_or_ip))
 	{
-	  if (check_access(thd, UPDATE_ACL, "mysql", 0, 1, 0))
+	  // We are trying to update another user, or create a new user
-	    goto error;
+	  
-	  break;			// We are allowed to do changes
+	  if (!check_access(thd, GRANT_ACL, "mysql", 0, 1, 1))
+	    break; // We can update any existing, or add new users
+
+	  if (!check_acl_user(user, &counter) &&
+	      check_access(thd, INSERT_ACL, "mysql", 0, 1, 1))
+	  {
+	    my_error(ER_NO_PERMISSION_TO_CREATE_USER, MYF(0),
+		     thd->user, thd->host_or_ip);
+	    goto error; // Can't create new user, user does not exists
+	  }
+	  if (check_acl_user(user, &counter) &&
+	      user->password.str &&
+	      check_access(thd, UPDATE_ACL, "mysql", 0, 1, 1))
+	  {
+	    my_message(ER_PASSWORD_NOT_ALLOWED,
+		       ER(ER_PASSWORD_NOT_ALLOWED), MYF(0));
+	    goto error; // Can't update password, user already exists
+	  }
 	}
       }
     }