mysql GRANT + WHERE

Question

I want to give permissions only to specificated rows in mysql. table: messages cols: from, to, message

GRANT ALL ON db.messages TO 'jeffrey'@'localhost' WHERE messages.from = 'jeffrey' OR messages.to = 'jeffrey' ;

With a thing like this the user only can access only his own messages.

Do you know how to solve the problem?

Answer 1

If you want row level permissions, you'll have to add your own mechanism. Usually it's an integer, used as a bit Pattern

E.g. 0x0002 is a Supervisor Level access

The user Fred is a supervisor so their Permission is 0x0002 and they have a UserId of 23

Then something like

Select * From SomeTable
inner Join myUsers On MyUsers.UserID = 23 and (SomeTable.PermissionID & MyUsers.PermissionID) > 0

So Fred can only access rows with a permissionId where bit 1 (Big endian !) is set.

Have a deep think though it's major PIA to maintain.

Answer 2

Per the GRANT command, there is no ability to set permission-levels on a per-row basis (table/columns, yes - but not the individual rows).

You could setup a View to handle this though and grant the user permission to access the view instead.

A view such as the following should give you the messages based on the current user:

CREATE VIEW user_messages AS
    SELECT *
    FROM messages
    WHERE
        messages.from = user() OR messages.to = user();

And the grant-statement should be similar:

GRANT ALL ON db.user_messages TO 'jeffrey'@'localhost';

Answer 3

MySQL doesn't have row-level permissions. You have database, table, and column. not rows. For row-level, use a view and/or approriate where clauses.