Modified set_role_var to implement both a role check in the check() function,
as well as only set privileges in the update() function.
This commit is contained in:
Vicențiu Ciorbaru
Sergei Golubchik
parent
494f011799
commit
db25d8f977
@ -876,14 +876,20 @@ int set_var_password::update(THD *thd)
|
||||
*****************************************************************************/
|
||||
int set_var_role::check(THD *thd)
|
||||
{
|
||||
/* nothing to check */
|
||||
#ifndef NO_EMBEDDED_ACCESS_CHECKS
|
||||
ulonglong access;
|
||||
int status= acl_check_setrole(thd, base.str, &access);
|
||||
save_result.ulonglong_value= access;
|
||||
return status;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
int set_var_role::update(THD *thd)
|
||||
{
|
||||
#ifndef NO_EMBEDDED_ACCESS_CHECKS
|
||||
return acl_setrole(thd, this->role.str);
|
||||
return acl_setrole(thd, base.str, save_result.ulonglong_value);
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
@ -278,11 +278,11 @@ public:
|
||||
|
||||
/* For SET ROLE */
|
||||
|
||||
class set_var_role: public set_var_base
|
||||
class set_var_role: public set_var
|
||||
{
|
||||
LEX_STRING role;
|
||||
public:
|
||||
set_var_role(LEX_STRING role_arg) : role(role_arg) {};
|
||||
set_var_role(LEX_STRING role_arg) :
|
||||
set_var(OPT_SESSION, NULL, &role_arg, NULL){};
|
||||
int check(THD *thd);
|
||||
int update(THD *thd);
|
||||
};
|
||||
|
||||
@ -1672,7 +1672,7 @@ bool acl_getroot(Security_context *sctx, char *user, char *host,
|
||||
DBUG_RETURN(res);
|
||||
}
|
||||
|
||||
bool acl_setrole(THD *thd, char *rolename)
|
||||
int acl_check_setrole(THD *thd, char *rolename, ulonglong *access)
|
||||
{
|
||||
bool is_granted;
|
||||
int result= 0;
|
||||
@ -1693,8 +1693,8 @@ bool acl_setrole(THD *thd, char *rolename)
|
||||
my_error(ER_INVALID_CURRENT_USER, MYF(0), rolename);
|
||||
result= -1;
|
||||
}
|
||||
else
|
||||
thd->security_ctx->master_access= acl_user->access;
|
||||
else if (access)
|
||||
*access= acl_user->access;
|
||||
|
||||
goto end;
|
||||
}
|
||||
@ -1728,16 +1728,26 @@ bool acl_setrole(THD *thd, char *rolename)
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* merge the privileges */
|
||||
thd->security_ctx->master_access= acl_user->access | role->access;
|
||||
/* mark the current role */
|
||||
strcpy(thd->security_ctx->priv_role, rolename);
|
||||
|
||||
if (access)
|
||||
{
|
||||
*access = acl_user->access | role->access;
|
||||
}
|
||||
end:
|
||||
mysql_mutex_unlock(&acl_cache->lock);
|
||||
return result;
|
||||
}
|
||||
|
||||
int acl_setrole(THD *thd, char *rolename, ulonglong access) {
|
||||
/* merge the privileges */
|
||||
thd->security_ctx->master_access= access;
|
||||
/* mark the current role */
|
||||
strmake(thd->security_ctx->priv_role, rolename,
|
||||
sizeof(thd->security_ctx->priv_role)-1);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
static uchar* check_get_key(ACL_USER *buff, size_t *length,
|
||||
my_bool not_used __attribute__((unused)))
|
||||
{
|
||||
|
||||
@ -382,5 +382,6 @@ get_cached_table_access(GRANT_INTERNAL_INFO *grant_internal_info,
|
||||
|
||||
bool acl_check_proxy_grant_access (THD *thd, const char *host, const char *user,
|
||||
bool with_grant);
|
||||
bool acl_setrole(THD *thd, char *rolename);
|
||||
int acl_setrole(THD *thd, char *rolename, ulonglong access);
|
||||
int acl_check_setrole(THD *thd, char *rolename, ulonglong *access);
|
||||
#endif /* SQL_ACL_INCLUDED */
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user