diff --git a/src/Interpreters/Access/InterpreterGrantQuery.cpp b/src/Interpreters/Access/InterpreterGrantQuery.cpp index 99d574dba1e..cbe6f0264c9 100644 --- a/src/Interpreters/Access/InterpreterGrantQuery.cpp +++ b/src/Interpreters/Access/InterpreterGrantQuery.cpp @@ -190,7 +190,7 @@ namespace /// REVOKE SELECT ON system.* FROM user2; /// /// the query `REVOKE SELECT ON *.* FROM user1` executed by user2 should succeed. - if (current_user_access.getAccessRights()->containsWithGrantOption(access_to_revoke)) + if (current_user_access.getAccessRightsWithImplicit()->containsWithGrantOption(access_to_revoke)) return; /// Technically, this check always fails if `containsWithGrantOption` returns `false`. But we still call it to get a nice exception message. diff --git a/tests/queries/0_stateless/03278_revoke_implicit_grants.reference b/tests/queries/0_stateless/03278_revoke_implicit_grants.reference new file mode 100644 index 00000000000..e69de29bb2d diff --git a/tests/queries/0_stateless/03278_revoke_implicit_grants.sh b/tests/queries/0_stateless/03278_revoke_implicit_grants.sh new file mode 100755 index 00000000000..a6dbd160147 --- /dev/null +++ b/tests/queries/0_stateless/03278_revoke_implicit_grants.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) +# shellcheck source=../shell_config.sh +. "$CURDIR"/../shell_config.sh + +user="user03278_${CLICKHOUSE_DATABASE}_$RANDOM" +role1="role03278_1_${CLICKHOUSE_DATABASE}_$RANDOM" +role2="role03278_2_${CLICKHOUSE_DATABASE}_$RANDOM" + + +${CLICKHOUSE_CLIENT} --query "DROP USER IF EXISTS $user;"; + +${CLICKHOUSE_CLIENT} <