x

vaintroub · vaintroub · commit c66b83aa9220 · 2026-02-23T22:40:31.000+01:00
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -10043,7 +10043,7 @@ static bool check_grant_db_routine(THD *thd, const char *db, HASH *hash)
         strcmp(item->db, db) == 0 &&
         (!item->host.hostname || !item->host.hostname[0]))
     {
-      if (item->init_privs.certainly_allowed(ALL_KNOWN_ACL))
+      if (item->privs.certainly_allowed(ALL_KNOWN_ACL))
         return FALSE; /* Found current role match */
     }
   }
@@ -10089,14 +10089,20 @@ static bool has_some_table_privs(GRANT_TABLE *grant_table)
   Return 1 if access is denied
 */
 
-bool check_grant_db(THD *thd, const char *db)
+bool check_grant_db(THD *thd, const access_t &access, const char *db)
 {
   Security_context *sctx= thd->security_ctx;
   constexpr size_t key_data_size= SAFE_NAME_LEN + USERNAME_LENGTH + 1;
   // See earlier comments on MY_CS_MBMAXLEN above
   CharBuffer<key_data_size + MY_CS_MBMAXLEN> key, key2;
   bool error= TRUE;
 
+  if (access.is_denied_all(TABLE_ACLS|PROC_ACLS))
+    return 1; // all table and routine privileges are denied
+
+  if (access & (TABLE_ACLS | PROC_ACLS))
+    return 0; // some table or routine privileges are allowed
+
   key.append(Lex_cstring_strlen(sctx->priv_user)).append_char('\0')
      .append_opt_casedn(files_charset_info, Lex_cstring_strlen(db),
                         lower_case_table_names)
diff --git a/sql/sql_acl.h b/sql/sql_acl.h
@@ -123,7 +123,7 @@ bool check_grant_all_columns(THD *thd, privilege_t want_access,
 bool check_grant_routine(THD *thd, privilege_t want_access,
                          TABLE_LIST *procs, const Sp_handler *sph,
                          bool no_error);
-bool check_grant_db(THD *thd,const char *db);
+bool check_grant_db(THD *thd,const access_t& priv, const char *db);
 bool check_global_access(THD *thd, const privilege_t want_access, bool no_errors= false);
 bool check_access(THD *thd, privilege_t want_access,
                   const char *db, access_t *save_priv,
diff --git a/sql/sql_db.cc b/sql/sql_db.cc
@@ -1791,8 +1791,7 @@ uint mysql_change_db(THD *thd, const LEX_CSTRING &new_db_name, bool force)
 
   if (!force)
   {
-    if (db_access.is_denied_all(DB_ACLS) || 
-       (!(db_access & DB_ACLS)  && check_grant_db(thd, new_db_file_name.str)))
+    if (!(db_access & DB_ACLS) && check_grant_db(thd, db_access, new_db_file_name.str))
     {
       my_error(ER_DBACCESS_DENIED_ERROR, MYF(0), sctx->priv_user,
                sctx->priv_host, new_db_file_name.str);
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
@@ -6946,7 +6946,7 @@ static bool check_show_access(THD *thd, TABLE_LIST *table)
                      &thd->col_access, NULL, FALSE, FALSE))
       return TRUE;
 
-    if (!thd->col_access && check_grant_db(thd, dst_db_name))
+    if (!thd->col_access && check_grant_db(thd, thd->col_access, dst_db_name))
     {
       status_var_increment(thd->status_var.access_denied_errors);
       my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
@@ -1455,7 +1455,7 @@ bool mysqld_show_create_db(THD *thd, LEX_CSTRING *dbname,
   else
     db_access= acl_get_all3(sctx, dbname->str, FALSE);
 
-  if (!(db_access & DB_ACLS) && !db_access.is_denied_all(DB_ACLS) && check_grant_db(thd,dbname->str))
+  if (!(db_access & DB_ACLS) && check_grant_db(thd, db_access, dbname->str))
   {
     status_var_increment(thd->status_var.access_denied_errors);
     my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),
@@ -5798,9 +5798,10 @@ int fill_schema_schemata(THD *thd, TABLE_LIST *tables, COND *cond)
       continue;
     }
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
+    access_t db_access=acl_get_all3(sctx, db_name->str, false);
     if (sctx->master_access & (DB_ACLS | SHOW_DB_ACL) ||
-        !acl_get_all3(sctx, db_name->str, false).is_empty() ||
-        !check_grant_db(thd, db_name->str))
+        !db_access.is_empty() || /*??*/
+        !check_grant_db(thd, db_access ,db_name->str))
 #endif
     {
       load_db_opt_by_name(thd, db_name->str, &create);

Original file line number	Diff line number	Diff line change
`@@ -1791,8 +1791,7 @@ uint mysql_change_db(THD *thd, const LEX_CSTRING &new_db_name, bool force)`
`1791`	`1791`
`1792`	`1792`	`if (!force)`
`1793`	`1793`	`{`
`1794`		`- if (db_access.is_denied_all(DB_ACLS) \|\|`
`1795`		`- (!(db_access & DB_ACLS) && check_grant_db(thd, new_db_file_name.str)))`
	`1794`	`+ if (!(db_access & DB_ACLS) && check_grant_db(thd, db_access, new_db_file_name.str))`
`1796`	`1795`	`{`
`1797`	`1796`	`my_error(ER_DBACCESS_DENIED_ERROR, MYF(0), sctx->priv_user,`
`1798`	`1797`	`sctx->priv_host, new_db_file_name.str);`
Original file line number	Diff line number	Diff line change
`@@ -6946,7 +6946,7 @@ static bool check_show_access(THD thd, TABLE_LIST table)`
`6946`	`6946`	`&thd->col_access, NULL, FALSE, FALSE))`
`6947`	`6947`	`return TRUE;`
`6948`	`6948`
`6949`		`- if (!thd->col_access && check_grant_db(thd, dst_db_name))`
	`6949`	`+ if (!thd->col_access && check_grant_db(thd, thd->col_access, dst_db_name))`
`6950`	`6950`	`{`
`6951`	`6951`	`status_var_increment(thd->status_var.access_denied_errors);`
`6952`	`6952`	`my_error(ER_DBACCESS_DENIED_ERROR, MYF(0),`