search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
2.9.2-rc1
[phpmyadmin/arisferyanto.git] / libraries / check_user_privileges.lib.php
blob04dfb0ec28c71bd94197b31d9fa46938b9a6fd0a
1 <?php
2 /* $Id$ */
3 // vim: expandtab sw=4 ts=4 sts=4:
4
5 // Get user's global privileges and some db-specific privileges
6 // ($controllink and $userlink are links to MySQL defined in the "common.lib.php" library)
7 // Note: if no controluser is defined, $controllink contains $userlink
8
9 $is_create_db_priv = false;
10 $is_process_priv = true;
11 $is_reload_priv = false;
12 $db_to_create = '';
13 $dbs_where_create_table_allowed = array();
14
15 // We were trying to find if user if superuser with 'USE mysql'
16 // but users with the global priv CREATE TEMPORARY TABLES or LOCK TABLES
17 // can do a 'USE mysql' (even if they cannot see the tables)
18 $is_superuser = PMA_isSuperuser();
19
20 function PMA_analyseShowGrant($rs_usr, &$is_create_db_priv, &$db_to_create, &$is_reload_priv, &$dbs_where_create_table_allowed) {
21
22 $re0 = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards
23 $re1 = '(^|[^\])(\\\)+'; // escaped wildcards
24 while ($row = PMA_DBI_fetch_row($rs_usr)) {
25 $show_grants_dbname = substr($row[0], strpos($row[0], ' ON ') + 4, (strpos($row[0], '.', strpos($row[0], ' ON ')) - strpos($row[0], ' ON ') - 4));
26 $show_grants_dbname = ereg_replace('^`(.*)`', '\\1', $show_grants_dbname);
27 $show_grants_str = substr($row[0], 6, (strpos($row[0], ' ON ') - 6));
28 if ($show_grants_str == 'RELOAD') {
29 $is_reload_priv = true;
30 }
31 if (($show_grants_str == 'ALL') || ($show_grants_str == 'ALL PRIVILEGES') || ($show_grants_str == 'CREATE') || strpos($show_grants_str, 'CREATE')) {
32 if ($show_grants_dbname == '*') {
33 // a global CREATE privilege
34 $is_create_db_priv = true;
35 $is_reload_priv = true;
36 $db_to_create = '';
37 $dbs_where_create_table_allowed[] = '*';
38 break;
39 } else {
40 // this array may contain wildcards
41 $dbs_where_create_table_allowed[] = $show_grants_dbname;
42
43 // before MySQL 4.1.0, we cannot use backquotes around a dbname
44 // for the USE command, so the USE will fail if the dbname contains
45 // a "-" and we cannot detect if such a db already exists;
46 // since 4.1.0, we need to use backquotes if the dbname contains a "-"
47 // in a USE command
48
49 if (PMA_MYSQL_INT_VERSION > 40100) {
50 $dbname_to_test = PMA_backquote($show_grants_dbname);
51 } else {
52 $dbname_to_test = $show_grants_dbname;
53 }
54
55 if ( (ereg($re0 . '%|_', $show_grants_dbname)
56 && !ereg('\\\\%|\\\\_', $show_grants_dbname))
57 // does this db exist?
58 || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 .'(%|_)', '\\1\\3', $dbname_to_test), null, PMA_DBI_QUERY_STORE) && substr(PMA_DBI_getError(), 1, 4) != 1044)
59 ) {
60 $db_to_create = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $show_grants_dbname));
61 $db_to_create = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create);
62 $is_create_db_priv = true;
63
64 // TODO: collect $db_to_create into an array, to display a drop-down
65 // in the "Create new database" dialog
66 //
67 // we don't break, we want all possible databases
68 //break;
69 } // end if
70 } // end elseif
71 } // end if
72 } // end while
73 } // end function
74
75 // Detection for some CREATE privilege.
76
77 // Since MySQL 4.1.2, we can easily detect current user's grants
78 // using $userlink (no control user needed)
79 // and we don't have to try any other method for detection
80
81 if (PMA_MYSQL_INT_VERSION >= 40102) {
82 $rs_usr = PMA_DBI_try_query('SHOW GRANTS', $userlink, PMA_DBI_QUERY_STORE);
83 if ($rs_usr) {
84 PMA_analyseShowGrant($rs_usr, $is_create_db_priv, $db_to_create, $is_reload_priv, $dbs_where_create_table_allowed);
85 PMA_DBI_free_result($rs_usr);
86 unset($rs_usr);
87 }
88 } else {
89
90 // Before MySQL 4.1.2, we first try to find a priv in mysql.user. Hopefuly
91 // the controluser is correctly defined; but here, $controllink could contain
92 // $userlink so maybe the SELECT will fail
93
94 if (!$is_create_db_priv) {
95 $res = PMA_DBI_query('SELECT USER();', null, PMA_DBI_QUERY_STORE);
96 list($mysql_cur_user_and_host) = PMA_DBI_fetch_row($res);
97 $mysql_cur_user = substr($mysql_cur_user_and_host, 0, strrpos($mysql_cur_user_and_host, '@'));
98
99 $local_query = 'SELECT Create_priv, Reload_priv FROM mysql.user WHERE ' . PMA_convert_using('User') . ' = ' . PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ';';
100 $rs_usr = PMA_DBI_try_query($local_query, $controllink, PMA_DBI_QUERY_STORE); // Debug: or PMA_mysqlDie('', $local_query, false);
101 if ($rs_usr) {
102 while ($result_usr = PMA_DBI_fetch_assoc($rs_usr)) {
103 if (!$is_create_db_priv) {
104 $is_create_db_priv = ($result_usr['Create_priv'] == 'Y');
105 }
106 if (!$is_reload_priv) {
107 $is_reload_priv = ($result_usr['Reload_priv'] == 'Y');
108 }
109 } // end while
110 PMA_DBI_free_result($rs_usr);
111 unset($rs_usr, $result_usr);
112 if ($is_create_db_priv) {
113 $dbs_where_create_table_allowed[] = '*';
114 }
115 } // end if
116 } // end if
117
118 // If the user has Create priv on a inexistant db, show him in the dialog
119 // the first inexistant db name that we find, in most cases it's probably
120 // the one he just dropped :)
121 if (!$is_create_db_priv) {
122 $local_query = 'SELECT DISTINCT Db FROM mysql.db WHERE ' . PMA_convert_using('Create_priv') . ' = ' . PMA_convert_using('Y', 'quoted') . ' AND (' . PMA_convert_using('User') . ' = ' .PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ');';
123
124 $rs_usr = PMA_DBI_try_query($local_query, $controllink, PMA_DBI_QUERY_STORE);
125 if ($rs_usr) {
126 $re0 = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards
127 $re1 = '(^|[^\])(\\\)+'; // escaped wildcards
128 while ($row = PMA_DBI_fetch_assoc($rs_usr)) {
129 $dbs_where_create_table_allowed[] = $row['Db'];
130 if (ereg($re0 . '(%|_)', $row['Db'])
131 || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 . '(%|_)', '\\1\\3', $row['Db'])) && substr(PMA_DBI_getError(), 1, 4) != 1044)) {
132 $db_to_create = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $row['Db']));
133 $db_to_create = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create);
134 $is_create_db_priv = true;
135 break;
136 } // end if
137 } // end while
138 PMA_DBI_free_result($rs_usr);
139 unset($rs_usr, $row, $re0, $re1);
140 } else {
141 // Finally, let's try to get the user's privileges by using SHOW
142 // GRANTS...
143 // Maybe we'll find a little CREATE priv there :)
144 $rs_usr = PMA_DBI_try_query('SHOW GRANTS FOR ' . $mysql_cur_user_and_host . ';', $controllink, PMA_DBI_QUERY_STORE);
145 if (!$rs_usr) {
146 // OK, now we'd have to guess the user's hostname, but we
147 // only try out the 'username'@'%' case.
148 $rs_usr = PMA_DBI_try_query('SHOW GRANTS FOR ' . PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ';', $controllink, PMA_DBI_QUERY_STORE);
149 }
150 unset($local_query);
151 if ($rs_usr) {
152 PMA_analyseShowGrant($rs_usr, $is_create_db_priv, $db_to_create, $is_reload_priv, $dbs_where_create_table_allowed);
153 PMA_DBI_free_result($rs_usr);
154 unset($rs_usr);
155 } // end if
156 } // end elseif
157 } // end if
158 } // end else (MySQL < 4.1.2)
159
160 // If disabled, don't show it
161 if (!$cfg['SuggestDBName']) {
162 $db_to_create = '';
163 }
164 ?>
Browse-mode Improvements ++