| [ Index ] |
|
Code source de phpMyAdmin 2.10.3 |
1 <?php 2 /* $Id: check_user_privileges.lib.php 10405 2007-05-19 18:08:38Z lem9 $ */ 3 // vim: expandtab sw=4 ts=4 sts=4: 4 5 // Get user's global privileges and some db-specific privileges 6 // ($controllink and $userlink are links to MySQL defined in the "common.lib.php" library) 7 // Note: if no controluser is defined, $controllink contains $userlink 8 9 $is_create_db_priv = false; 10 $is_process_priv = true; 11 $is_reload_priv = false; 12 $db_to_create = ''; 13 $dbs_where_create_table_allowed = array(); 14 15 // We were trying to find if user if superuser with 'USE mysql' 16 // but users with the global priv CREATE TEMPORARY TABLES or LOCK TABLES 17 // can do a 'USE mysql' (even if they cannot see the tables) 18 $is_superuser = PMA_isSuperuser(); 19 20 function PMA_analyseShowGrant($rs_usr, &$is_create_db_priv, &$db_to_create, &$is_reload_priv, &$dbs_where_create_table_allowed) { 21 22 $re0 = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards 23 $re1 = '(^|[^\])(\\\)+'; // escaped wildcards 24 while ($row = PMA_DBI_fetch_row($rs_usr)) { 25 $show_grants_dbname = substr($row[0], strpos($row[0], ' ON ') + 4, (strpos($row[0], '.', strpos($row[0], ' ON ')) - strpos($row[0], ' ON ') - 4)); 26 $show_grants_dbname = ereg_replace('^`(.*)`', '\\1', $show_grants_dbname); 27 $show_grants_str = substr($row[0], 6, (strpos($row[0], ' ON ') - 6)); 28 if ($show_grants_str == 'RELOAD') { 29 $is_reload_priv = true; 30 } 31 /** 32 * @todo if we find CREATE VIEW but not CREATE, do not offer 33 * the create database dialog box 34 */ 35 if (($show_grants_str == 'ALL') || ($show_grants_str == 'ALL PRIVILEGES') || ($show_grants_str == 'CREATE') || strpos($show_grants_str, 'CREATE,') !== false) { 36 if ($show_grants_dbname == '*') { 37 // a global CREATE privilege 38 $is_create_db_priv = true; 39 $is_reload_priv = true; 40 $db_to_create = ''; 41 $dbs_where_create_table_allowed[] = '*'; 42 break; 43 } else { 44 // this array may contain wildcards 45 $dbs_where_create_table_allowed[] = $show_grants_dbname; 46 47 // before MySQL 4.1.0, we cannot use backquotes around a dbname 48 // for the USE command, so the USE will fail if the dbname contains 49 // a "-" and we cannot detect if such a db already exists; 50 // since 4.1.0, we need to use backquotes if the dbname contains a "-" 51 // in a USE command 52 53 if (PMA_MYSQL_INT_VERSION > 40100) { 54 $dbname_to_test = PMA_backquote($show_grants_dbname); 55 } else { 56 $dbname_to_test = $show_grants_dbname; 57 } 58 59 if ((ereg($re0 . '%|_', $show_grants_dbname) 60 && !ereg('\\\\%|\\\\_', $show_grants_dbname)) 61 // does this db exist? 62 || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 .'(%|_)', '\\1\\3', $dbname_to_test), null, PMA_DBI_QUERY_STORE) 63 && substr(PMA_DBI_getError(), 1, 4) != 1044) 64 ) { 65 $db_to_create = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $show_grants_dbname)); 66 $db_to_create = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create); 67 $is_create_db_priv = true; 68 69 /** 70 * @todo collect $db_to_create into an array, to display a 71 * drop-down in the "Create new database" dialog 72 */ 73 // we don't break, we want all possible databases 74 //break; 75 } // end if 76 } // end elseif 77 } // end if 78 } // end while 79 } // end function 80 81 // Detection for some CREATE privilege. 82 83 // Since MySQL 4.1.2, we can easily detect current user's grants 84 // using $userlink (no control user needed) 85 // and we don't have to try any other method for detection 86 87 if (PMA_MYSQL_INT_VERSION >= 40102) { 88 $rs_usr = PMA_DBI_try_query('SHOW GRANTS', $userlink, PMA_DBI_QUERY_STORE); 89 if ($rs_usr) { 90 PMA_analyseShowGrant($rs_usr, $is_create_db_priv, $db_to_create, $is_reload_priv, $dbs_where_create_table_allowed); 91 PMA_DBI_free_result($rs_usr); 92 unset($rs_usr); 93 } 94 } else { 95 96 // Before MySQL 4.1.2, we first try to find a priv in mysql.user. Hopefuly 97 // the controluser is correctly defined; but here, $controllink could contain 98 // $userlink so maybe the SELECT will fail 99 100 if (!$is_create_db_priv) { 101 $res = PMA_DBI_query('SELECT USER();', null, PMA_DBI_QUERY_STORE); 102 list($mysql_cur_user_and_host) = PMA_DBI_fetch_row($res); 103 $mysql_cur_user = substr($mysql_cur_user_and_host, 0, strrpos($mysql_cur_user_and_host, '@')); 104 105 $local_query = 'SELECT Create_priv, Reload_priv FROM mysql.user WHERE ' . PMA_convert_using('User') . ' = ' . PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ';'; 106 $rs_usr = PMA_DBI_try_query($local_query, $controllink, PMA_DBI_QUERY_STORE); // Debug: or PMA_mysqlDie('', $local_query, false); 107 if ($rs_usr) { 108 while ($result_usr = PMA_DBI_fetch_assoc($rs_usr)) { 109 if (!$is_create_db_priv) { 110 $is_create_db_priv = ($result_usr['Create_priv'] == 'Y'); 111 } 112 if (!$is_reload_priv) { 113 $is_reload_priv = ($result_usr['Reload_priv'] == 'Y'); 114 } 115 } // end while 116 PMA_DBI_free_result($rs_usr); 117 unset($rs_usr, $result_usr); 118 if ($is_create_db_priv) { 119 $dbs_where_create_table_allowed[] = '*'; 120 } 121 } // end if 122 } // end if 123 124 // If the user has Create priv on a inexistant db, show him in the dialog 125 // the first inexistant db name that we find, in most cases it's probably 126 // the one he just dropped :) 127 if (!$is_create_db_priv) { 128 $local_query = 'SELECT DISTINCT Db FROM mysql.db WHERE ' . PMA_convert_using('Create_priv') . ' = ' . PMA_convert_using('Y', 'quoted') . ' AND (' . PMA_convert_using('User') . ' = ' .PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ');'; 129 130 $rs_usr = PMA_DBI_try_query($local_query, $controllink, PMA_DBI_QUERY_STORE); 131 if ($rs_usr) { 132 $re0 = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards 133 $re1 = '(^|[^\])(\\\)+'; // escaped wildcards 134 while ($row = PMA_DBI_fetch_assoc($rs_usr)) { 135 $dbs_where_create_table_allowed[] = $row['Db']; 136 if (ereg($re0 . '(%|_)', $row['Db']) 137 || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 . '(%|_)', '\\1\\3', $row['Db'])) && substr(PMA_DBI_getError(), 1, 4) != 1044)) { 138 $db_to_create = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $row['Db'])); 139 $db_to_create = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create); 140 $is_create_db_priv = true; 141 break; 142 } // end if 143 } // end while 144 PMA_DBI_free_result($rs_usr); 145 unset($rs_usr, $row, $re0, $re1); 146 } else { 147 // Finally, let's try to get the user's privileges by using SHOW 148 // GRANTS... 149 // Maybe we'll find a little CREATE priv there :) 150 $rs_usr = PMA_DBI_try_query('SHOW GRANTS FOR ' . $mysql_cur_user_and_host . ';', $controllink, PMA_DBI_QUERY_STORE); 151 if (!$rs_usr) { 152 // OK, now we'd have to guess the user's hostname, but we 153 // only try out the 'username'@'%' case. 154 $rs_usr = PMA_DBI_try_query('SHOW GRANTS FOR ' . PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ';', $controllink, PMA_DBI_QUERY_STORE); 155 } 156 unset($local_query); 157 if ($rs_usr) { 158 PMA_analyseShowGrant($rs_usr, $is_create_db_priv, $db_to_create, $is_reload_priv, $dbs_where_create_table_allowed); 159 PMA_DBI_free_result($rs_usr); 160 unset($rs_usr); 161 } // end if 162 } // end elseif 163 } // end if 164 } // end else (MySQL < 4.1.2) 165 166 // If disabled, don't show it 167 if (!$cfg['SuggestDBName']) { 168 $db_to_create = ''; 169 } 170 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Mon Nov 26 15:18:20 2007 | par Balluche grâce à PHPXref 0.7 |
|
|