server_privileges.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Server privileges and users manipulations
   5  *
   6  * @package PhpMyAdmin
   7  */
   8 declare(strict_types=1);
   9
  10 use PhpMyAdmin\CheckUserPrivileges;
  11 use PhpMyAdmin\Core;
  12 use PhpMyAdmin\DatabaseInterface;
  13 use PhpMyAdmin\Message;
  14 use PhpMyAdmin\Relation;
  15 use PhpMyAdmin\RelationCleanup;
  16 use PhpMyAdmin\Response;
  17 use PhpMyAdmin\Server\Privileges;
  18 use PhpMyAdmin\Server\Users;
  19 use PhpMyAdmin\Template;
  20
  21 if (! defined('ROOT_PATH')) {
  22     define('ROOT_PATH', __DIR__ . DIRECTORY_SEPARATOR);
  23 }
  24
  25 global $db, $pmaThemeImage, $text_dir, $url_query;
  26
  27 require_once ROOT_PATH . 'libraries/common.inc.php';
  28
  29 /** @var Response $response */
  30 $response = $containerBuilder->get(Response::class);
  31
  32 /** @var DatabaseInterface $dbi */
  33 $dbi = $containerBuilder->get(DatabaseInterface::class);
  34
  35 $checkUserPrivileges = new CheckUserPrivileges($dbi);
  36 $checkUserPrivileges->getPrivileges();
  37
  38 /** @var Relation $relation */
  39 $relation = $containerBuilder->get('relation');
  40 $cfgRelation = $relation->getRelationsParam();
  41
  42 /**
  43  * Does the common work
  44  */
  45 $header   = $response->getHeader();
  46 $scripts  = $header->getScripts();
  47 $scripts->addFile('server/privileges.js');
  48 $scripts->addFile('vendor/zxcvbn.js');
  49
  50 /** @var Template $template */
  51 $template = $containerBuilder->get('template');
  52 $relationCleanup = new RelationCleanup($dbi, $relation);
  53 $serverPrivileges = new Privileges($template, $dbi, $relation, $relationCleanup);
  54
  55 if ((isset($_GET['viewing_mode'])
  56     && $_GET['viewing_mode'] == 'server')
  57     && $cfgRelation['menuswork']
  58 ) {
  59     $response->addHTML('<div>');
  60     $response->addHTML(Users::getHtmlForSubMenusOnUsersPage('server_privileges.php'));
  61 }
  62
  63 /**
  64  * Sets globals from $_POST patterns, for privileges and max_* vars
  65  */
  66
  67 $post_patterns = [
  68     '/_priv$/i',
  69     '/^max_/i',
  70 ];
  71
  72 Core::setPostAsGlobal($post_patterns);
  73
  74 require ROOT_PATH . 'libraries/server_common.inc.php';
  75
  76 /**
  77  * Messages are built using the message name
  78  */
  79 $strPrivDescAllPrivileges = __('Includes all privileges except GRANT.');
  80 $strPrivDescAlter = __('Allows altering the structure of existing tables.');
  81 $strPrivDescAlterRoutine = __('Allows altering and dropping stored routines.');
  82 $strPrivDescCreateDb = __('Allows creating new databases and tables.');
  83 $strPrivDescCreateRoutine = __('Allows creating stored routines.');
  84 $strPrivDescCreateTbl = __('Allows creating new tables.');
  85 $strPrivDescCreateTmpTable = __('Allows creating temporary tables.');
  86 $strPrivDescCreateUser = __('Allows creating, dropping and renaming user accounts.');
  87 $strPrivDescCreateView = __('Allows creating new views.');
  88 $strPrivDescDelete = __('Allows deleting data.');
  89 $strPrivDescDeleteHistoricalRows = __('Allows deleting historical rows.');
  90 $strPrivDescDropDb = __('Allows dropping databases and tables.');
  91 $strPrivDescDropTbl = __('Allows dropping tables.');
  92 $strPrivDescEvent = __('Allows to set up events for the event scheduler.');
  93 $strPrivDescExecute = __('Allows executing stored routines.');
  94 $strPrivDescFile = __('Allows importing data from and exporting data into files.');
  95 $strPrivDescGrantTbl = __(
  96     'Allows user to give to other users or remove from other users the privileges '
  97     . 'that user possess yourself.'
  98 );
  99 $strPrivDescIndex = __('Allows creating and dropping indexes.');
 100 $strPrivDescInsert = __('Allows inserting and replacing data.');
 101 $strPrivDescLockTables = __('Allows locking tables for the current thread.');
 102 $strPrivDescMaxConnections = __(
 103     'Limits the number of new connections the user may open per hour.'
 104 );
 105 $strPrivDescMaxQuestions = __(
 106     'Limits the number of queries the user may send to the server per hour.'
 107 );
 108 $strPrivDescMaxUpdates = __(
 109     'Limits the number of commands that change any table or database '
 110     . 'the user may execute per hour.'
 111 );
 112 $strPrivDescMaxUserConnections = __(
 113     'Limits the number of simultaneous connections the user may have.'
 114 );
 115 $strPrivDescProcess = __('Allows viewing processes of all users.');
 116 $strPrivDescReferences = __('Has no effect in this MySQL version.');
 117 $strPrivDescReload = __(
 118     'Allows reloading server settings and flushing the server\'s caches.'
 119 );
 120 $strPrivDescReplClient = __(
 121     'Allows the user to ask where the slaves / masters are.'
 122 );
 123 $strPrivDescReplSlave = __('Needed for the replication slaves.');
 124 $strPrivDescSelect = __('Allows reading data.');
 125 $strPrivDescShowDb = __('Gives access to the complete list of databases.');
 126 $strPrivDescShowView = __('Allows performing SHOW CREATE VIEW queries.');
 127 $strPrivDescShutdown = __('Allows shutting down the server.');
 128 $strPrivDescSuper = __(
 129     'Allows connecting, even if maximum number of connections is reached; '
 130     . 'required for most administrative operations like setting global variables '
 131     . 'or killing threads of other users.'
 132 );
 133 $strPrivDescTrigger = __('Allows creating and dropping triggers.');
 134 $strPrivDescUpdate = __('Allows changing data.');
 135 $strPrivDescUsage = __('No privileges.');
 136
 137 $_add_user_error = false;
 138 /**
 139  * Get DB information: username, hostname, dbname,
 140  * tablename, db_and_table, dbname_is_wildcard
 141  */
 142 list(
 143     $username, $hostname, $dbname, $tablename, $routinename,
 144     $db_and_table, $dbname_is_wildcard
 145 ) = $serverPrivileges->getDataForDBInfo();
 146
 147 /**
 148  * Checks if the user is allowed to do what he tries to...
 149  */
 150 if (! $dbi->isSuperuser() && ! $GLOBALS['is_grantuser']
 151     && ! $GLOBALS['is_createuser']
 152 ) {
 153     $response->addHTML(
 154         $template->render('server/sub_page_header', [
 155             'type' => 'privileges',
 156             'is_image' => false,
 157         ])
 158     );
 159     $response->addHTML(
 160         Message::error(__('No Privileges'))
 161             ->getDisplay()
 162     );
 163     exit;
 164 }
 165 if (! $GLOBALS['is_grantuser'] && ! $GLOBALS['is_createuser']) {
 166     $response->addHTML(Message::notice(
 167         __('You do not have the privileges to administrate the users!')
 168     )->getDisplay());
 169 }
 170
 171 /**
 172  * Checks if the user is using "Change Login Information / Copy User" dialog
 173  * only to update the password
 174  */
 175 if (isset($_POST['change_copy']) && $username == $_POST['old_username']
 176     && $hostname == $_POST['old_hostname']
 177 ) {
 178     $response->addHTML(
 179         Message::error(
 180             __(
 181                 "Username and hostname didn't change. "
 182                 . "If you only want to change the password, "
 183                 . "'Change password' tab should be used."
 184             )
 185         )->getDisplay()
 186     );
 187     $response->setRequestStatus(false);
 188     exit;
 189 }
 190
 191 /**
 192  * Changes / copies a user, part I
 193  */
 194 list($queries, $password) = $serverPrivileges->getDataForChangeOrCopyUser();
 195
 196 /**
 197  * Adds a user
 198  *   (Changes / copies a user, part II)
 199  */
 200 list($ret_message, $ret_queries, $queries_for_display, $sql_query, $_add_user_error)
 201     = $serverPrivileges->addUser(
 202         isset($dbname) ? $dbname : null,
 203         isset($username) ? $username : null,
 204         isset($hostname) ? $hostname : null,
 205         isset($password) ? $password : null,
 206         $cfgRelation['menuswork']
 207     );
 208 //update the old variables
 209 if (isset($ret_queries)) {
 210     $queries = $ret_queries;
 211     unset($ret_queries);
 212 }
 213 if (isset($ret_message)) {
 214     $message = $ret_message;
 215     unset($ret_message);
 216 }
 217
 218 /**
 219  * Changes / copies a user, part III
 220  */
 221 if (isset($_POST['change_copy'])) {
 222     $queries = $serverPrivileges->getDbSpecificPrivsQueriesForChangeOrCopyUser(
 223         $queries,
 224         $username,
 225         $hostname
 226     );
 227 }
 228
 229 $itemType = '';
 230 if (! empty($routinename)) {
 231     $itemType = $serverPrivileges->getRoutineType($dbname, $routinename);
 232 }
 233
 234 /**
 235  * Updates privileges
 236  */
 237 if (! empty($_POST['update_privs'])) {
 238     if (is_array($dbname)) {
 239         foreach ($dbname as $key => $db_name) {
 240             list($sql_query[$key], $message) = $serverPrivileges->updatePrivileges(
 241                 (isset($username) ? $username : ''),
 242                 (isset($hostname) ? $hostname : ''),
 243                 (isset($tablename)
 244                     ? $tablename
 245                     : (isset($routinename) ? $routinename : '')),
 246                 (isset($db_name) ? $db_name : ''),
 247                 $itemType
 248             );
 249         }
 250
 251         $sql_query = implode("\n", $sql_query);
 252     } else {
 253         list($sql_query, $message) = $serverPrivileges->updatePrivileges(
 254             (isset($username) ? $username : ''),
 255             (isset($hostname) ? $hostname : ''),
 256             (isset($tablename)
 257                 ? $tablename
 258                 : (isset($routinename) ? $routinename : '')),
 259             (isset($dbname) ? $dbname : ''),
 260             $itemType
 261         );
 262     }
 263 }
 264
 265 /**
 266  * Assign users to user groups
 267  */
 268 if (! empty($_POST['changeUserGroup']) && $cfgRelation['menuswork']
 269     && $dbi->isSuperuser() && $GLOBALS['is_createuser']
 270 ) {
 271     $serverPrivileges->setUserGroup($username, $_POST['userGroup']);
 272     $message = Message::success();
 273 }
 274
 275 /**
 276  * Revokes Privileges
 277  */
 278 if (isset($_POST['revokeall'])) {
 279     list ($message, $sql_query) = $serverPrivileges->getMessageAndSqlQueryForPrivilegesRevoke(
 280         (isset($dbname) ? $dbname : ''),
 281         (isset($tablename)
 282             ? $tablename
 283             : (isset($routinename) ? $routinename : '')),
 284         $username,
 285         $hostname,
 286         $itemType
 287     );
 288 }
 289
 290 /**
 291  * Updates the password
 292  */
 293 if (isset($_POST['change_pw'])) {
 294     $message = $serverPrivileges->updatePassword(
 295         $err_url,
 296         $username,
 297         $hostname
 298     );
 299 }
 300
 301 /**
 302  * Deletes users
 303  *   (Changes / copies a user, part IV)
 304  */
 305 if (isset($_POST['delete'])
 306     || (isset($_POST['change_copy']) && $_POST['mode'] < 4)
 307 ) {
 308     $queries = $serverPrivileges->getDataForDeleteUsers($queries);
 309     if (empty($_POST['change_copy'])) {
 310         list($sql_query, $message) = $serverPrivileges->deleteUser($queries);
 311     }
 312 }
 313
 314 /**
 315  * Changes / copies a user, part V
 316  */
 317 if (isset($_POST['change_copy'])) {
 318     $queries = $serverPrivileges->getDataForQueries($queries, $queries_for_display);
 319     $message = Message::success();
 320     $sql_query = implode("\n", $queries);
 321 }
 322
 323 /**
 324  * Reloads the privilege tables into memory
 325  */
 326 $message_ret = $serverPrivileges->updateMessageForReload();
 327 if ($message_ret !== null) {
 328     $message = $message_ret;
 329     unset($message_ret);
 330 }
 331
 332 /**
 333  * If we are in an Ajax request for Create User/Edit User/Revoke User/
 334  * Flush Privileges, show $message and exit.
 335  */
 336 if ($response->isAjax()
 337     && empty($_REQUEST['ajax_page_request'])
 338     && ! isset($_GET['export'])
 339     && (! isset($_POST['submit_mult']) || $_POST['submit_mult'] != 'export')
 340     && ((! isset($_GET['initial']) || $_GET['initial'] === null
 341     || $_GET['initial'] === '')
 342     || (isset($_POST['delete']) && $_POST['delete'] === __('Go')))
 343     && ! isset($_GET['showall'])
 344     && ! isset($_GET['edit_user_group_dialog'])
 345 ) {
 346     $extra_data = $serverPrivileges->getExtraDataForAjaxBehavior(
 347         (isset($password) ? $password : ''),
 348         (isset($sql_query) ? $sql_query : ''),
 349         (isset($hostname) ? $hostname : ''),
 350         (isset($username) ? $username : '')
 351     );
 352
 353     if (! empty($message) && $message instanceof Message) {
 354         $response->setRequestStatus($message->isSuccess());
 355         $response->addJSON('message', $message);
 356         $response->addJSON($extra_data);
 357         exit;
 358     }
 359 }
 360
 361 /**
 362  * Displays the links
 363  */
 364 if (isset($_GET['viewing_mode']) && $_GET['viewing_mode'] == 'db') {
 365     $db = $_REQUEST['db'] = $_GET['checkprivsdb'];
 366
 367     $url_query .= '&amp;goto=db_operations.php';
 368
 369     // Gets the database structure
 370     $sub_part = '_structure';
 371     ob_start();
 372
 373     list(
 374         $tables,
 375         $num_tables,
 376         $total_num_tables,
 377         $sub_part,
 378         $is_show_stats,
 379         $db_is_system_schema,
 380         $tooltip_truename,
 381         $tooltip_aliasname,
 382         $pos
 383     ) = PhpMyAdmin\Util::getDbInfo($db, $sub_part === null ? '' : $sub_part);
 384
 385     $content = ob_get_contents();
 386     ob_end_clean();
 387     $response->addHTML($content . "\n");
 388 } elseif (! empty($GLOBALS['message'])) {
 389     $response->addHTML(PhpMyAdmin\Util::getMessage($GLOBALS['message']));
 390     unset($GLOBALS['message']);
 391 }
 392
 393 /**
 394  * Displays the page
 395  */
 396 $response->addHTML(
 397     $serverPrivileges->getHtmlForUserGroupDialog(
 398         isset($username) ? $username : null,
 399         $cfgRelation['menuswork']
 400     )
 401 );
 402
 403 // export user definition
 404 if (isset($_GET['export'])
 405     || (isset($_POST['submit_mult']) && $_POST['submit_mult'] == 'export')
 406 ) {
 407     list($title, $export) = $serverPrivileges->getListForExportUserDefinition(
 408         isset($username) ? $username : '',
 409         isset($hostname) ? $hostname : ''
 410     );
 411
 412     unset($username, $hostname, $grants, $one_grant);
 413
 414     if ($response->isAjax()) {
 415         $response->addJSON('message', $export);
 416         $response->addJSON('title', $title);
 417         exit;
 418     } else {
 419         $response->addHTML("<h2>$title</h2>$export");
 420     }
 421 }
 422
 423 if (isset($_GET['adduser'])) {
 424     // Add user
 425     $response->addHTML(
 426         $serverPrivileges->getHtmlForAddUser((isset($dbname) ? $dbname : ''))
 427     );
 428 } elseif (isset($_GET['checkprivsdb'])) {
 429     if (isset($_GET['checkprivstable'])) {
 430         // check the privileges for a particular table.
 431         $response->addHTML(
 432             $serverPrivileges->getHtmlForSpecificTablePrivileges(
 433                 $_GET['checkprivsdb'],
 434                 $_GET['checkprivstable']
 435             )
 436         );
 437     } else {
 438         // check the privileges for a particular database.
 439         $response->addHTML(
 440             $serverPrivileges->getHtmlForSpecificDbPrivileges($_GET['checkprivsdb'])
 441         );
 442     }
 443 } else {
 444     if (isset($dbname) && ! is_array($dbname)) {
 445         $url_dbname = urlencode(
 446             str_replace(
 447                 [
 448                     '\_',
 449                     '\%',
 450                 ],
 451                 [
 452                     '_',
 453                     '%',
 454                 ],
 455                 $dbname
 456             )
 457         );
 458     }
 459
 460     if (! isset($username)) {
 461         // No username is given --> display the overview
 462         $response->addHTML(
 463             $serverPrivileges->getHtmlForUserOverview($pmaThemeImage, $text_dir)
 464         );
 465     } elseif (! empty($routinename)) {
 466         $response->addHTML(
 467             $serverPrivileges->getHtmlForRoutineSpecificPrivileges(
 468                 $username,
 469                 $hostname ?? '',
 470                 $dbname,
 471                 $routinename,
 472                 (isset($url_dbname) ? $url_dbname : '')
 473             )
 474         );
 475     } else {
 476         // A user was selected -> display the user's properties
 477         // In an Ajax request, prevent cached values from showing
 478         if ($response->isAjax()) {
 479             header('Cache-Control: no-cache');
 480         }
 481
 482         $response->addHTML(
 483             $serverPrivileges->getHtmlForUserProperties(
 484                 (isset($dbname_is_wildcard) ? $dbname_is_wildcard : ''),
 485                 (isset($url_dbname) ? $url_dbname : ''),
 486                 $username,
 487                 $hostname ?? '',
 488                 (isset($dbname) ? $dbname : ''),
 489                 (isset($tablename) ? $tablename : '')
 490             )
 491         );
 492     }
 493 }
 494
 495 if ((isset($_GET['viewing_mode']) && $_GET['viewing_mode'] == 'server')
 496     && $GLOBALS['cfgRelation']['menuswork']
 497 ) {
 498     $response->addHTML('</div>');
 499 }