planner/core: fix point-get db privilege check (#12268) (#12341)

pingcap · Sep 24, 2019 · d699ce3 · d699ce3
1 parent 3fe6a78
commit d699ce3
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/planner/core/point_get_plan.go b/planner/core/point_get_plan.go
@@ -37,6 +37,7 @@ import (
 // This plan is much faster to build and to execute because it avoid the optimization and coprocessor cost.
 type PointGetPlan struct {
 	basePlan
+	dbName      string
 	schema      *expression.Schema
 	TblInfo     *model.TableInfo
 	IndexInfo   *model.IndexInfo
@@ -197,7 +198,11 @@ func tryPointGetPlan(ctx sessionctx.Context, selStmt *ast.SelectStmt) *PointGetP
 		if schema == nil {
 			return nil
 		}
-		p := newPointGetPlan(ctx, schema, tbl)
+		dbName := tblName.Schema.L
+		if dbName == "" {
+			dbName = ctx.GetSessionVars().CurrentDB
+		}
+		p := newPointGetPlan(ctx, dbName, schema, tbl)
 		var err error
 		p.Handle, err = handleDatum.ToInt64(ctx.GetSessionVars().StmtCtx)
 		if err != nil {
@@ -220,17 +225,22 @@ func tryPointGetPlan(ctx sessionctx.Context, selStmt *ast.SelectStmt) *PointGetP
 		if schema == nil {
 			return nil
 		}
-		p := newPointGetPlan(ctx, schema, tbl)
+		dbName := tblName.Schema.L
+		if dbName == "" {
+			dbName = ctx.GetSessionVars().CurrentDB
+		}
+		p := newPointGetPlan(ctx, dbName, schema, tbl)
 		p.IndexInfo = idxInfo
 		p.IndexValues = idxValues
 		return p
 	}
 	return nil
 }
 
-func newPointGetPlan(ctx sessionctx.Context, schema *expression.Schema, tbl *model.TableInfo) *PointGetPlan {
+func newPointGetPlan(ctx sessionctx.Context, dbName string, schema *expression.Schema, tbl *model.TableInfo) *PointGetPlan {
 	p := &PointGetPlan{
 		basePlan: newBasePlan(ctx, "Point_Get"),
+		dbName:   dbName,
 		schema:   schema,
 		TblInfo:  tbl,
 	}
@@ -243,9 +253,8 @@ func checkFastPlanPrivilege(ctx sessionctx.Context, fastPlan *PointGetPlan, chec
 	if pm == nil {
 		return nil
 	}
-	dbName := ctx.GetSessionVars().CurrentDB
 	for _, checkType := range checkTypes {
-		if !pm.RequestVerification(dbName, fastPlan.TblInfo.Name.L, "", checkType) {
+		if !pm.RequestVerification(fastPlan.dbName, fastPlan.TblInfo.Name.L, "", checkType) {
 			return errors.New("privilege check fail")
 		}
 	}

diff --git a/privilege/privileges/privileges_test.go b/privilege/privileges/privileges_test.go
@@ -117,6 +117,25 @@ func (s *testPrivilegeSuite) TestCheckDBPrivilege(c *C) {
 	c.Assert(pc.RequestVerification("test", "", "", mysql.UpdatePriv), IsTrue)
 }
 
+func (s *testPrivilegeSuite) TestCheckPointGetDBPrivilege(c *C) {
+	rootSe := newSession(c, s.store, s.dbName)
+	mustExec(c, rootSe, `CREATE USER 'tester'@'localhost';`)
+	mustExec(c, rootSe, `GRANT SELECT,UPDATE ON test.* TO  'tester'@'localhost';`)
+	mustExec(c, rootSe, `flush privileges;`)
+	mustExec(c, rootSe, `create database test2`)
+	mustExec(c, rootSe, `create table test2.t(id int, v int, primary key(id))`)
+	mustExec(c, rootSe, `insert into test2.t(id, v) values(1, 1)`)
+
+	se := newSession(c, s.store, s.dbName)
+	c.Assert(se.Auth(&auth.UserIdentity{Username: "tester", Hostname: "localhost"}, nil, nil), IsTrue)
+	mustExec(c, se, `use test;`)
+	_, err := se.Execute(context.Background(), `select * from test2.t where id = 1`)
+	fmt.Println(err.Error())
+	c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)
+	_, err = se.Execute(context.Background(), "update test2.t set v = 2 where id = 1")
+	c.Assert(strings.Contains(err.Error(), "privilege check fail"), IsTrue)
+}
+
 func (s *testPrivilegeSuite) TestCheckTablePrivilege(c *C) {
 	rootSe := newSession(c, s.store, s.dbName)
 	mustExec(c, rootSe, `CREATE USER 'test1'@'localhost';`)