Fix adding a table from list, do not crash the designer if impossible to add
[phpmyadmin.git] / server_privileges.php
blobfda9a5b134a64b47d4e72d3694e16e9c0e63aed3
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * Server privileges and users manipulations
6 * @package PhpMyAdmin
7 */
9 use PhpMyAdmin\Core;
10 use PhpMyAdmin\Message;
11 use PhpMyAdmin\Relation;
12 use PhpMyAdmin\Response;
13 use PhpMyAdmin\Server\Common;
14 use PhpMyAdmin\Server\Privileges;
15 use PhpMyAdmin\Server\Users;
16 use PhpMyAdmin\Template;
18 /**
19 * include common file
21 require_once 'libraries/common.inc.php';
23 /**
24 * functions implementation for this script
26 require_once 'libraries/check_user_privileges.inc.php';
28 $relation = new Relation();
29 $cfgRelation = $relation->getRelationsParam();
31 /**
32 * Does the common work
34 $response = Response::getInstance();
35 $header = $response->getHeader();
36 $scripts = $header->getScripts();
37 $scripts->addFile('server_privileges.js');
38 $scripts->addFile('vendor/zxcvbn.js');
40 if ((isset($_GET['viewing_mode'])
41 && $_GET['viewing_mode'] == 'server')
42 && $cfgRelation['menuswork']
43 ) {
44 $response->addHTML('<div>');
45 $response->addHTML(Users::getHtmlForSubMenusOnUsersPage('server_privileges.php'));
48 /**
49 * Sets globals from $_POST patterns, for privileges and max_* vars
52 $post_patterns = array(
53 '/_priv$/i',
54 '/^max_/i'
57 Core::setPostAsGlobal($post_patterns);
59 require 'libraries/server_common.inc.php';
61 /**
62 * Messages are built using the message name
64 $strPrivDescAllPrivileges = __('Includes all privileges except GRANT.');
65 $strPrivDescAlter = __('Allows altering the structure of existing tables.');
66 $strPrivDescAlterRoutine = __('Allows altering and dropping stored routines.');
67 $strPrivDescCreateDb = __('Allows creating new databases and tables.');
68 $strPrivDescCreateRoutine = __('Allows creating stored routines.');
69 $strPrivDescCreateTbl = __('Allows creating new tables.');
70 $strPrivDescCreateTmpTable = __('Allows creating temporary tables.');
71 $strPrivDescCreateUser = __('Allows creating, dropping and renaming user accounts.');
72 $strPrivDescCreateView = __('Allows creating new views.');
73 $strPrivDescDelete = __('Allows deleting data.');
74 $strPrivDescDeleteHistoricalRows = __('Allows deleting historical rows.');
75 $strPrivDescDropDb = __('Allows dropping databases and tables.');
76 $strPrivDescDropTbl = __('Allows dropping tables.');
77 $strPrivDescEvent = __('Allows to set up events for the event scheduler.');
78 $strPrivDescExecute = __('Allows executing stored routines.');
79 $strPrivDescFile = __('Allows importing data from and exporting data into files.');
80 $strPrivDescGrantTbl = __(
81 'Allows user to give to other users or remove from other users the privileges '
82 . 'that user possess yourself.'
84 $strPrivDescIndex = __('Allows creating and dropping indexes.');
85 $strPrivDescInsert = __('Allows inserting and replacing data.');
86 $strPrivDescLockTables = __('Allows locking tables for the current thread.');
87 $strPrivDescMaxConnections = __(
88 'Limits the number of new connections the user may open per hour.'
90 $strPrivDescMaxQuestions = __(
91 'Limits the number of queries the user may send to the server per hour.'
93 $strPrivDescMaxUpdates = __(
94 'Limits the number of commands that change any table or database '
95 . 'the user may execute per hour.'
97 $strPrivDescMaxUserConnections = __(
98 'Limits the number of simultaneous connections the user may have.'
100 $strPrivDescProcess = __('Allows viewing processes of all users.');
101 $strPrivDescReferences = __('Has no effect in this MySQL version.');
102 $strPrivDescReload = __(
103 'Allows reloading server settings and flushing the server\'s caches.'
105 $strPrivDescReplClient = __(
106 'Allows the user to ask where the slaves / masters are.'
108 $strPrivDescReplSlave = __('Needed for the replication slaves.');
109 $strPrivDescSelect = __('Allows reading data.');
110 $strPrivDescShowDb = __('Gives access to the complete list of databases.');
111 $strPrivDescShowView = __('Allows performing SHOW CREATE VIEW queries.');
112 $strPrivDescShutdown = __('Allows shutting down the server.');
113 $strPrivDescSuper = __(
114 'Allows connecting, even if maximum number of connections is reached; '
115 . 'required for most administrative operations like setting global variables '
116 . 'or killing threads of other users.'
118 $strPrivDescTrigger = __('Allows creating and dropping triggers.');
119 $strPrivDescUpdate = __('Allows changing data.');
120 $strPrivDescUsage = __('No privileges.');
122 $_add_user_error = false;
124 * Get DB information: username, hostname, dbname,
125 * tablename, db_and_table, dbname_is_wildcard
127 list(
128 $username, $hostname, $dbname, $tablename, $routinename,
129 $db_and_table, $dbname_is_wildcard
130 ) = Privileges::getDataForDBInfo();
133 * Checks if the user is allowed to do what he tries to...
135 if (!$GLOBALS['dbi']->isSuperuser() && !$GLOBALS['is_grantuser']
136 && !$GLOBALS['is_createuser']
138 $response->addHTML(
139 Template::get('server/sub_page_header')->render([
140 'type' => 'privileges',
141 'is_image' => false,
144 $response->addHTML(
145 Message::error(__('No Privileges'))
146 ->getDisplay()
148 exit;
150 if (! $GLOBALS['is_grantuser'] && !$GLOBALS['is_createuser']) {
151 $response->addHTML(Message::notice(
152 __('You do not have privileges to manipulate with the users!')
153 )->getDisplay());
157 * Checks if the user is using "Change Login Information / Copy User" dialog
158 * only to update the password
160 if (isset($_POST['change_copy']) && $username == $_POST['old_username']
161 && $hostname == $_POST['old_hostname']
163 $response->addHTML(
164 Message::error(
166 "Username and hostname didn't change. "
167 . "If you only want to change the password, "
168 . "'Change password' tab should be used."
170 )->getDisplay()
172 $response->setRequestStatus(false);
173 exit;
177 * Changes / copies a user, part I
179 list($queries, $password) = Privileges::getDataForChangeOrCopyUser();
182 * Adds a user
183 * (Changes / copies a user, part II)
185 list($ret_message, $ret_queries, $queries_for_display, $sql_query, $_add_user_error)
186 = Privileges::addUser(
187 isset($dbname)? $dbname : null,
188 isset($username)? $username : null,
189 isset($hostname)? $hostname : null,
190 isset($password)? $password : null,
191 $cfgRelation['menuswork']
193 //update the old variables
194 if (isset($ret_queries)) {
195 $queries = $ret_queries;
196 unset($ret_queries);
198 if (isset($ret_message)) {
199 $message = $ret_message;
200 unset($ret_message);
204 * Changes / copies a user, part III
206 if (isset($_POST['change_copy'])) {
207 $queries = Privileges::getDbSpecificPrivsQueriesForChangeOrCopyUser(
208 $queries, $username, $hostname
212 $itemType = '';
213 if (! empty($routinename)) {
214 $itemType = Privileges::getRoutineType($dbname, $routinename);
218 * Updates privileges
220 if (! empty($_POST['update_privs'])) {
221 if (is_array($dbname)) {
222 foreach ($dbname as $key => $db_name) {
223 list($sql_query[$key], $message) = Privileges::updatePrivileges(
224 (isset($username) ? $username : ''),
225 (isset($hostname) ? $hostname : ''),
226 (isset($tablename)
227 ? $tablename
228 : (isset($routinename) ? $routinename : '')),
229 (isset($db_name) ? $db_name : ''),
230 $itemType
234 $sql_query = implode("\n", $sql_query);
235 } else {
236 list($sql_query, $message) = Privileges::updatePrivileges(
237 (isset($username) ? $username : ''),
238 (isset($hostname) ? $hostname : ''),
239 (isset($tablename)
240 ? $tablename
241 : (isset($routinename) ? $routinename : '')),
242 (isset($dbname) ? $dbname : ''),
243 $itemType
249 * Assign users to user groups
251 if (! empty($_POST['changeUserGroup']) && $cfgRelation['menuswork']
252 && $GLOBALS['dbi']->isSuperuser() && $GLOBALS['is_createuser']
254 Privileges::setUserGroup($username, $_POST['userGroup']);
255 $message = Message::success();
259 * Revokes Privileges
261 if (isset($_POST['revokeall'])) {
262 list ($message, $sql_query) = Privileges::getMessageAndSqlQueryForPrivilegesRevoke(
263 (isset($dbname) ? $dbname : ''),
264 (isset($tablename)
265 ? $tablename
266 : (isset($routinename) ? $routinename : '')),
267 $username,
268 $hostname,
269 $itemType
274 * Updates the password
276 if (isset($_POST['change_pw'])) {
277 $message = Privileges::updatePassword(
278 $err_url, $username, $hostname
283 * Deletes users
284 * (Changes / copies a user, part IV)
286 if (isset($_POST['delete'])
287 || (isset($_POST['change_copy']) && $_POST['mode'] < 4)
289 $queries = Privileges::getDataForDeleteUsers($queries);
290 if (empty($_POST['change_copy'])) {
291 list($sql_query, $message) = Privileges::deleteUser($queries);
296 * Changes / copies a user, part V
298 if (isset($_POST['change_copy'])) {
299 $queries = Privileges::getDataForQueries($queries, $queries_for_display);
300 $message = Message::success();
301 $sql_query = join("\n", $queries);
305 * Reloads the privilege tables into memory
307 $message_ret = Privileges::updateMessageForReload();
308 if (isset($message_ret)) {
309 $message = $message_ret;
310 unset($message_ret);
314 * If we are in an Ajax request for Create User/Edit User/Revoke User/
315 * Flush Privileges, show $message and exit.
317 if ($response->isAjax()
318 && empty($_REQUEST['ajax_page_request'])
319 && ! isset($_GET['export'])
320 && (! isset($_POST['submit_mult']) || $_POST['submit_mult'] != 'export')
321 && ((! isset($_GET['initial']) || $_GET['initial'] === null
322 || $_GET['initial'] === '')
323 || (isset($_POST['delete']) && $_POST['delete'] === __('Go')))
324 && ! isset($_GET['showall'])
325 && ! isset($_GET['edit_user_group_dialog'])
327 $extra_data = Privileges::getExtraDataForAjaxBehavior(
328 (isset($password) ? $password : ''),
329 (isset($sql_query) ? $sql_query : ''),
330 (isset($hostname) ? $hostname : ''),
331 (isset($username) ? $username : '')
334 if (! empty($message) && $message instanceof Message) {
335 $response->setRequestStatus($message->isSuccess());
336 $response->addJSON('message', $message);
337 $response->addJSON($extra_data);
338 exit;
343 * Displays the links
345 if (isset($_GET['viewing_mode']) && $_GET['viewing_mode'] == 'db') {
346 $GLOBALS['db'] = $_REQUEST['db'] = $_GET['checkprivsdb'];
348 $url_query .= '&amp;goto=db_operations.php';
350 // Gets the database structure
351 $sub_part = '_structure';
352 ob_start();
354 list(
355 $tables,
356 $num_tables,
357 $total_num_tables,
358 $sub_part,
359 $is_show_stats,
360 $db_is_system_schema,
361 $tooltip_truename,
362 $tooltip_aliasname,
363 $pos
364 ) = PhpMyAdmin\Util::getDbInfo($db, isset($sub_part) ? $sub_part : '');
366 $content = ob_get_contents();
367 ob_end_clean();
368 $response->addHTML($content . "\n");
369 } else {
370 if (! empty($GLOBALS['message'])) {
371 $response->addHTML(PhpMyAdmin\Util::getMessage($GLOBALS['message']));
372 unset($GLOBALS['message']);
377 * Displays the page
379 $response->addHTML(
380 Privileges::getHtmlForUserGroupDialog(
381 isset($username)? $username : null,
382 $cfgRelation['menuswork']
386 // export user definition
387 if (isset($_GET['export'])
388 || (isset($_POST['submit_mult']) && $_POST['submit_mult'] == 'export')
390 list($title, $export) = Privileges::getListForExportUserDefinition(
391 isset($username) ? $username : null,
392 isset($hostname) ? $hostname : null
395 unset($username, $hostname, $grants, $one_grant);
397 if ($response->isAjax()) {
398 $response->addJSON('message', $export);
399 $response->addJSON('title', $title);
400 exit;
401 } else {
402 $response->addHTML("<h2>$title</h2>$export");
406 if (isset($_GET['adduser'])) {
407 // Add user
408 $response->addHTML(
409 Privileges::getHtmlForAddUser((isset($dbname) ? $dbname : ''))
411 } elseif (isset($_GET['checkprivsdb'])) {
412 if (isset($_GET['checkprivstable'])) {
413 // check the privileges for a particular table.
414 $response->addHTML(
415 Privileges::getHtmlForSpecificTablePrivileges(
416 $_GET['checkprivsdb'], $_GET['checkprivstable']
419 } else {
420 // check the privileges for a particular database.
421 $response->addHTML(
422 Privileges::getHtmlForSpecificDbPrivileges($_GET['checkprivsdb'])
425 } else {
426 if (isset($dbname) && ! is_array($dbname)) {
427 $url_dbname = urlencode(
428 str_replace(
429 array('\_', '\%'),
430 array('_', '%'),
431 $dbname
436 if (! isset($username)) {
437 // No username is given --> display the overview
438 $response->addHTML(
439 Privileges::getHtmlForUserOverview($pmaThemeImage, $text_dir)
441 } elseif (!empty($routinename)) {
442 $response->addHTML(
443 Privileges::getHtmlForRoutineSpecificPrivileges(
444 $username, $hostname, $dbname, $routinename,
445 (isset($url_dbname) ? $url_dbname : '')
448 } else {
449 // A user was selected -> display the user's properties
450 // In an Ajax request, prevent cached values from showing
451 if ($response->isAjax()) {
452 header('Cache-Control: no-cache');
455 $response->addHTML(
456 Privileges::getHtmlForUserProperties(
457 (isset($dbname_is_wildcard) ? $dbname_is_wildcard : ''),
458 (isset($url_dbname) ? $url_dbname : ''),
459 $username, $hostname,
460 (isset($dbname) ? $dbname : ''),
461 (isset($tablename) ? $tablename : '')
467 if ((isset($_GET['viewing_mode']) && $_GET['viewing_mode'] == 'server')
468 && $GLOBALS['cfgRelation']['menuswork']
470 $response->addHTML('</div>');