3 July 2020 | Notion

17:17 — Cloned and Compiled

17:24 — Starting with function setup_fields_with_no_wrap

17:44 — Inside check_column_grant_table_ref()

// View:
p table_ref->grant $5 = 
{grant_table_user = 0x55555884d298, grant_table_role = 0x0, version = 4, 
privilege = NO_ACL, want_privilege = UPDATE_ACL, orig_want_privilege = UPDATE_ACL, 
m_internal = {m_schema_lookup_done = true, m_schema_access = 0x0, 
m_table_lookup_done = true, m_table_access = 0x0}}

// DT:
{grant_table_user = 0x0, grant_table_role = 0x0, version = 0, 
privilege = NO_ACL, want_privilege = NO_ACL, orig_want_privilege = UPDATE_ACL, 
m_internal = {m_schema_lookup_done = true, m_schema_access = 0x0, 
m_table_lookup_done = true, m_table_access = 0x0}}

So, for DTs check_grant_column is missed:

if (grant→want_privilege)

return check_grant_column(..);

Here, grant = table_ref→grant;

So, why is there a difference in grants of views and DTs?

17:51 — grant→want_privilege is set in mysql_update:

table_list->grant.want_privilege= table->grant.want_privilege= want_privilege;

17:53 — want_privilege is set by: [inside mysql_update()]

want_privilege= (table_list->view ? UPDATE_ACL : table_list->grant.want_privilege);

What about grant_table_user?

18:00 — Inside mysql_update, table_list→grant.want_privilege = UPDATE_ACL (for views) and = NO_ACL (for derived)

Maybe, I have seen this problem earlier [Checking update_precheck() in sql_parse.cc]

18:46 — We are dropping the request for a privilege for a derived table:

// Snippet from check_grant:
// Stack: update_precheck->check_one_table_access->check_single_table_access->
// check_grant
if (!(~t_ref->grant.privilege & want_access) ||
        t_ref->is_anonymous_derived_table() || t_ref->schema_table)
    {
      /*
        It is subquery in the FROM clause. VIEW set t_ref->derived after
        table opening, but this function always called before table opening.

        NOTE: is_derived() can't be used here because subquery in this case
        the FROM clase (derived tables) can be not be marked yet.
      */
      if (t_ref->is_anonymous_derived_table() || t_ref->schema_table)
      {
        /*
          If it's a temporary table created for a subquery in the FROM
          clause, or an INFORMATION_SCHEMA table, drop the request for
          a privilege.
        */
        t_ref->grant.want_privilege= NO_ACL;
      }
      continue;
    }

// How want_privilege is set for views later in check_grant:
t_ref->grant.grant_table_user= grant_table; // Remember for column test
t_ref->grant.grant_table_role= grant_table_role;
t_ref->grant.version= grant_version;
t_ref->grant.privilege|= grant_table ? grant_table->privs : NO_ACL;
t_ref->grant.privilege|= grant_table_role ? grant_table_role->privs : NO_ACL;
t_ref->grant.want_privilege= ((want_access & COL_ACLS) & ~t_ref->grant.privilege);

Why are we doing this? (skipping request of privileges for derived table)? Here, is it assumed that all derived tables are materialised? ASK ABOUT THIS TO IGOR!

This is where we are diverging.