From bd72bd6e10cad89bfbadcb9d19f0013a521477c8 Mon Sep 17 00:00:00 2001
From: Vitaly Baranov <vitbar@yandex-team.ru>
Date: Sun, 28 Jun 2020 21:38:14 +0300
Subject: [PATCH 1/2] Fix access rights: cannot grant DDL when allow_ddl=0

---
 src/Access/ContextAccess.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Access/ContextAccess.cpp b/src/Access/ContextAccess.cpp
index 82ed5920243..e7bd0f8287d 100644
--- a/src/Access/ContextAccess.cpp
+++ b/src/Access/ContextAccess.cpp
@@ -428,7 +428,7 @@ boost::shared_ptr<const AccessRights> ContextAccess::calculateResultAccess(bool
         merged_access->revoke(AccessType::CREATE_TEMPORARY_TABLE);
     }
 
-    if (!allow_ddl_ && !grant_option)
+    if (!allow_ddl_)
         merged_access->revoke(table_and_dictionary_ddl);
 
     if (!allow_introspection_ && !grant_option)

From b230e740265059b837f1756c44e400a90adac9de Mon Sep 17 00:00:00 2001
From: Vitaly Baranov <vitbar@yandex-team.ru>
Date: Sun, 28 Jun 2020 21:42:03 +0300
Subject: [PATCH 2/2] Add test test_allow_ddl.

---
 tests/integration/test_settings_profile/test.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/integration/test_settings_profile/test.py b/tests/integration/test_settings_profile/test.py
index d722717f2a7..752aa2da75d 100644
--- a/tests/integration/test_settings_profile/test.py
+++ b/tests/integration/test_settings_profile/test.py
@@ -164,6 +164,18 @@ def test_show_profiles():
     assert expected_access in instance.query("SHOW ACCESS")
 
 
+def test_allow_ddl():
+    assert "Not enough privileges" in instance.query_and_get_error("CREATE TABLE tbl(a Int32) ENGINE=Log", user="robin")
+    assert "DDL queries are prohibited" in instance.query_and_get_error("CREATE TABLE tbl(a Int32) ENGINE=Log", settings={"allow_ddl":0})
+
+    assert "Not enough privileges" in instance.query_and_get_error("GRANT CREATE ON tbl TO robin", user="robin")
+    assert "DDL queries are prohibited" in instance.query_and_get_error("GRANT CREATE ON tbl TO robin", settings={"allow_ddl":0})
+
+    instance.query("GRANT CREATE ON tbl TO robin")
+    instance.query("CREATE TABLE tbl(a Int32) ENGINE=Log", user="robin")
+    instance.query("DROP TABLE tbl")
+
+
 def test_allow_introspection():
     assert "Not enough privileges" in instance.query_and_get_error("SELECT demangle('a')", user="robin")