[Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hello Sergei, Please review a patch that fixes the problem described in MDEV-7574. The idea is that a SELECT from a view over a CONNECT table now checks FILE privileges of the view definer (unless CREATE VIEW states SQL SECURITY INVOKER). It looks like a very good idea and gives more possible

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi, Alexander! On Feb 17, Alexander Barkov wrote: > > From what I understood, FILE_ACL is written (among the other > privileges) into thd->security_ctx.privilege in > TABLE_LIST::prepare_security(). In case of a DEFINER view, > thd->security_ctx.privilege is filled exactly with the definer > priv

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi Sergei, On 02/19/2015 07:12 PM, Sergei Golubchik wrote: Hi, Alexander! On Feb 17, Alexander Barkov wrote: From what I understood, FILE_ACL is written (among the other privileges) into thd->security_ctx.privilege in TABLE_LIST::prepare_security(). In case of a DEFINER view, thd->security_

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi, Alexander! On Feb 24, Alexander Barkov wrote: > > There is only one problem with that. In case of embedded server > table->grant.privilege is always 0, because the embedded version > of check_table_access() is just an empty function. > > This change in sql/handler.cc, in handler::ha_external

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi Sergei, Sorry for delay, I was busy with 10.1 issues. Thanks for review. A new patch is attached. This is a major rewrite since last time. I think the code now looks much easier to understand. Please see comments below. On 04/29/2015 06:44 PM, Sergei Golubchik wrote: Hi, Alexander! On Feb

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi, Alexander! On Jul 24, Alexander Barkov wrote: > Hi Sergei, > > Sorry for delay, I was busy with 10.1 issues. That's perfectly fine. And even good - there's little sense to spend time on 10.0 bugs when the next release in line is 10.1. > Thanks for review. A new patch is attached. > This is

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi Sergei, On 07/24/2015 10:55 PM, Sergei Golubchik wrote: Hi, Alexander! On Jul 24, Alexander Barkov wrote: Hi Sergei, Sorry for delay, I was busy with 10.1 issues. That's perfectly fine. And even good - there's little sense to spend time on 10.0 bugs when the next release in line is 10.1

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi, Alexander! On Jul 24, Alexander Barkov wrote: > >> Thanks for review. A new patch is attached. > >> This is a major rewrite since last time. > >> I think the code now looks much easier to understand. > > > > Not really, I couldn't understand what you're trying to do this time :( > > Besides it

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi Sergei, On 07/26/2015 02:13 AM, Sergei Golubchik wrote: Hi, Alexander! On Jul 24, Alexander Barkov wrote: Thanks for review. A new patch is attached. This is a major rewrite since last time. I think the code now looks much easier to understand. Not really, I couldn't understand what you'

Re: [Maria-developers] PLEASE REVIEW: (MDEV-7574) Security definer views don't work with CONNECT ODBC tables

Hi, Alexander! On Jul 26, Alexander Barkov wrote: > > + if (!table || !table->mdl_ticket || table->mdl_ticket->get_type() == > > MDL_EXCLUSIVE) > > +return check_access(thd, FILE_ACL, db, NULL, NULL, 0, 0); > > + if (table->grant.privilege & FILE_ACL) > > +return false;