diff --git a/src/acl.c b/src/acl.c index d39f9a5d444..7c6e3dec583 100644 --- a/src/acl.c +++ b/src/acl.c @@ -2094,6 +2094,9 @@ int ACLCheckAllUserCommandPerm(user *u, struct serverCommand *cmd, robj **argv, /* High level API for checking if a client can execute the queued up command */ int ACLCheckAllPerm(client *c, int *idxptr) { + /* AOF replay is not subject to ACLs because the commands were allowed at the + time they were executed */ + if (c->id == CLIENT_ID_AOF) return ACL_OK; int dbid = (c->flag.multi) ? c->mstate->transaction_db_id : c->db->id; return ACLCheckAllUserCommandPerm(c->user, c->cmd, c->argv, c->argc, dbid, idxptr); } diff --git a/tests/integration/aof.tcl b/tests/integration/aof.tcl index 6002641df90..96faa0ea0e7 100644 --- a/tests/integration/aof.tcl +++ b/tests/integration/aof.tcl @@ -376,6 +376,31 @@ tags {"aof external:skip logreqres:skip"} { } } + # A MULTI/EXEC block in the AOF must be replayed even when the default user + # is disabled. EXEC re-checks ACLs of the queued commands, but that check + # must not apply to the client used for loading the AOF, otherwise the + # transaction's writes are silently lost. + create_aof $aof_dirpath $aof_file { + append_to_aof [formatCommand set outside-tx 1] + append_to_aof [formatCommand multi] + append_to_aof [formatCommand set inside-tx-a 2] + append_to_aof [formatCommand set inside-tx-b 3] + append_to_aof [formatCommand exec] + } + + set acl_config_lines {user {default off} user {someuser on nopass ~* &* +@all}} + start_server_aof_ex [list dir $server_path] [list wait_ready false config_lines $acl_config_lines] { + test {AOF with MULTI/EXEC is fully loaded when the default user is disabled} { + set c [valkey [srv host] [srv port] 0 $::tls] + $c auth someuser somepass + wait_done_loading $c + assert_equal 1 [$c get outside-tx] + assert_equal 2 [$c get inside-tx-a] + assert_equal 3 [$c get inside-tx-b] + $c close + } + } + # The server could load AOF which has timestamp annotations inside create_aof $aof_dirpath $aof_file { append_to_aof "#TS:1628217470\r\n"