server_privileges.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Server privileges and users manipulations
   5  *
   6  * @package PhpMyAdmin
   7  */
   8 declare(strict_types=1);
   9
  10 use PhpMyAdmin\Core;
  11 use PhpMyAdmin\Message;
  12 use PhpMyAdmin\Relation;
  13 use PhpMyAdmin\RelationCleanup;
  14 use PhpMyAdmin\Response;
  15 use PhpMyAdmin\Server\Privileges;
  16 use PhpMyAdmin\Server\Users;
  17 use PhpMyAdmin\Template;
  18
  19 /**
  20  * include common file
  21  */
  22 require_once 'libraries/common.inc.php';
  23
  24 /**
  25  * functions implementation for this script
  26  */
  27 require_once 'libraries/check_user_privileges.inc.php';
  28
  29 $relation = new Relation($GLOBALS['dbi']);
  30 $cfgRelation = $relation->getRelationsParam();
  31
  32 /**
  33  * Does the common work
  34  */
  35 $response = Response::getInstance();
  36 $header   = $response->getHeader();
  37 $scripts  = $header->getScripts();
  38 $scripts->addFile('server_privileges.js');
  39 $scripts->addFile('vendor/zxcvbn.js');
  40
  41 $template = new Template();
  42 $relationCleanup = new RelationCleanup($GLOBALS['dbi'], $relation);
  43 $serverPrivileges = new Privileges($template, $GLOBALS['dbi'], $relation, $relationCleanup);
  44
  45 if ((isset($_REQUEST['viewing_mode'])
  46     && $_REQUEST['viewing_mode'] == 'server')
  47     && $GLOBALS['cfgRelation']['menuswork']
  48 ) {
  49     $response->addHTML('<div>');
  50     $response->addHTML(Users::getHtmlForSubMenusOnUsersPage('server_privileges.php'));
  51 }
  52
  53 /**
  54  * Sets globals from $_POST patterns, for privileges and max_* vars
  55  */
  56
  57 $post_patterns = [
  58     '/_priv$/i',
  59     '/^max_/i'
  60 ];
  61
  62 Core::setPostAsGlobal($post_patterns);
  63
  64 require 'libraries/server_common.inc.php';
  65
  66 /**
  67  * Messages are built using the message name
  68  */
  69 $strPrivDescAllPrivileges = __('Includes all privileges except GRANT.');
  70 $strPrivDescAlter = __('Allows altering the structure of existing tables.');
  71 $strPrivDescAlterRoutine = __('Allows altering and dropping stored routines.');
  72 $strPrivDescCreateDb = __('Allows creating new databases and tables.');
  73 $strPrivDescCreateRoutine = __('Allows creating stored routines.');
  74 $strPrivDescCreateTbl = __('Allows creating new tables.');
  75 $strPrivDescCreateTmpTable = __('Allows creating temporary tables.');
  76 $strPrivDescCreateUser = __('Allows creating, dropping and renaming user accounts.');
  77 $strPrivDescCreateView = __('Allows creating new views.');
  78 $strPrivDescDelete = __('Allows deleting data.');
  79 $strPrivDescDropDb = __('Allows dropping databases and tables.');
  80 $strPrivDescDropTbl = __('Allows dropping tables.');
  81 $strPrivDescEvent = __('Allows to set up events for the event scheduler.');
  82 $strPrivDescExecute = __('Allows executing stored routines.');
  83 $strPrivDescFile = __('Allows importing data from and exporting data into files.');
  84 $strPrivDescGrantTbl = __(
  85     'Allows user to give to other users or remove from other users the privileges '
  86     . 'that user possess yourself.'
  87 );
  88 $strPrivDescIndex = __('Allows creating and dropping indexes.');
  89 $strPrivDescInsert = __('Allows inserting and replacing data.');
  90 $strPrivDescLockTables = __('Allows locking tables for the current thread.');
  91 $strPrivDescMaxConnections = __(
  92     'Limits the number of new connections the user may open per hour.'
  93 );
  94 $strPrivDescMaxQuestions = __(
  95     'Limits the number of queries the user may send to the server per hour.'
  96 );
  97 $strPrivDescMaxUpdates = __(
  98     'Limits the number of commands that change any table or database '
  99     . 'the user may execute per hour.'
 100 );
 101 $strPrivDescMaxUserConnections = __(
 102     'Limits the number of simultaneous connections the user may have.'
 103 );
 104 $strPrivDescProcess = __('Allows viewing processes of all users.');
 105 $strPrivDescReferences = __('Has no effect in this MySQL version.');
 106 $strPrivDescReload = __(
 107     'Allows reloading server settings and flushing the server\'s caches.'
 108 );
 109 $strPrivDescReplClient = __(
 110     'Allows the user to ask where the slaves / masters are.'
 111 );
 112 $strPrivDescReplSlave = __('Needed for the replication slaves.');
 113 $strPrivDescSelect = __('Allows reading data.');
 114 $strPrivDescShowDb = __('Gives access to the complete list of databases.');
 115 $strPrivDescShowView = __('Allows performing SHOW CREATE VIEW queries.');
 116 $strPrivDescShutdown = __('Allows shutting down the server.');
 117 $strPrivDescSuper = __(
 118     'Allows connecting, even if maximum number of connections is reached; '
 119     . 'required for most administrative operations like setting global variables '
 120     . 'or killing threads of other users.'
 121 );
 122 $strPrivDescTrigger = __('Allows creating and dropping triggers.');
 123 $strPrivDescUpdate = __('Allows changing data.');
 124 $strPrivDescUsage = __('No privileges.');
 125
 126 $_add_user_error = false;
 127 /**
 128  * Get DB information: username, hostname, dbname,
 129  * tablename, db_and_table, dbname_is_wildcard
 130  */
 131 list(
 132     $username, $hostname, $dbname, $tablename, $routinename,
 133     $db_and_table, $dbname_is_wildcard
 134 ) = $serverPrivileges->getDataForDBInfo();
 135
 136 /**
 137  * Checks if the user is allowed to do what he tries to...
 138  */
 139 if (!$GLOBALS['dbi']->isSuperuser() && !$GLOBALS['is_grantuser']
 140     && !$GLOBALS['is_createuser']
 141 ) {
 142     $response->addHTML(
 143         $template->render('server/sub_page_header', [
 144             'type' => 'privileges',
 145             'is_image' => false,
 146         ])
 147     );
 148     $response->addHTML(
 149         Message::error(__('No Privileges'))
 150             ->getDisplay()
 151     );
 152     exit;
 153 }
 154 if (! $GLOBALS['is_grantuser'] && !$GLOBALS['is_createuser']) {
 155     $response->addHTML(Message::notice(
 156         __('You do not have the privileges to administrate the users!')
 157     )->getDisplay());
 158 }
 159
 160 /**
 161  * Checks if the user is using "Change Login Information / Copy User" dialog
 162  * only to update the password
 163  */
 164 if (isset($_REQUEST['change_copy']) && $username == $_REQUEST['old_username']
 165     && $hostname == $_REQUEST['old_hostname']
 166 ) {
 167     $response->addHTML(
 168         Message::error(
 169             __(
 170                 "Username and hostname didn't change. "
 171                 . "If you only want to change the password, "
 172                 . "'Change password' tab should be used."
 173             )
 174         )->getDisplay()
 175     );
 176     $response->setRequestStatus(false);
 177     exit;
 178 }
 179
 180 /**
 181  * Changes / copies a user, part I
 182  */
 183 list($queries, $password) = $serverPrivileges->getDataForChangeOrCopyUser();
 184
 185 /**
 186  * Adds a user
 187  *   (Changes / copies a user, part II)
 188  */
 189 list($ret_message, $ret_queries, $queries_for_display, $sql_query, $_add_user_error)
 190     = $serverPrivileges->addUser(
 191         isset($dbname) ? $dbname : null,
 192         isset($username) ? $username : null,
 193         isset($hostname) ? $hostname : null,
 194         isset($password) ? $password : null,
 195         $cfgRelation['menuswork']
 196     );
 197 //update the old variables
 198 if (isset($ret_queries)) {
 199     $queries = $ret_queries;
 200     unset($ret_queries);
 201 }
 202 if (isset($ret_message)) {
 203     $message = $ret_message;
 204     unset($ret_message);
 205 }
 206
 207 /**
 208  * Changes / copies a user, part III
 209  */
 210 if (isset($_REQUEST['change_copy'])) {
 211     $queries = $serverPrivileges->getDbSpecificPrivsQueriesForChangeOrCopyUser(
 212         $queries,
 213         $username,
 214         $hostname
 215     );
 216 }
 217
 218 $itemType = '';
 219 if (! empty($routinename)) {
 220     $itemType = $serverPrivileges->getRoutineType($dbname, $routinename);
 221 }
 222
 223 /**
 224  * Updates privileges
 225  */
 226 if (! empty($_POST['update_privs'])) {
 227     if (is_array($dbname)) {
 228         foreach ($dbname as $key => $db_name) {
 229             list($sql_query[$key], $message) = $serverPrivileges->updatePrivileges(
 230                 (isset($username) ? $username : ''),
 231                 (isset($hostname) ? $hostname : ''),
 232                 (isset($tablename)
 233                     ? $tablename
 234                     : (isset($routinename) ? $routinename : '')),
 235                 (isset($db_name) ? $db_name : ''),
 236                 $itemType
 237             );
 238         }
 239
 240         $sql_query = implode("\n", $sql_query);
 241     } else {
 242         list($sql_query, $message) = $serverPrivileges->updatePrivileges(
 243             (isset($username) ? $username : ''),
 244             (isset($hostname) ? $hostname : ''),
 245             (isset($tablename)
 246                 ? $tablename
 247                 : (isset($routinename) ? $routinename : '')),
 248             (isset($dbname) ? $dbname : ''),
 249             $itemType
 250         );
 251     }
 252 }
 253
 254 /**
 255  * Assign users to user groups
 256  */
 257 if (! empty($_REQUEST['changeUserGroup']) && $cfgRelation['menuswork']
 258     && $GLOBALS['dbi']->isSuperuser() && $GLOBALS['is_createuser']
 259 ) {
 260     $serverPrivileges->setUserGroup($username, $_REQUEST['userGroup']);
 261     $message = Message::success();
 262 }
 263
 264 /**
 265  * Revokes Privileges
 266  */
 267 if (isset($_REQUEST['revokeall'])) {
 268     list ($message, $sql_query) = $serverPrivileges->getMessageAndSqlQueryForPrivilegesRevoke(
 269         (isset($dbname) ? $dbname : ''),
 270         (isset($tablename)
 271             ? $tablename
 272             : (isset($routinename) ? $routinename : '')),
 273         $username,
 274         $hostname,
 275         $itemType
 276     );
 277 }
 278
 279 /**
 280  * Updates the password
 281  */
 282 if (isset($_REQUEST['change_pw'])) {
 283     $message = $serverPrivileges->updatePassword(
 284         $err_url,
 285         $username,
 286         $hostname
 287     );
 288 }
 289
 290 /**
 291  * Deletes users
 292  *   (Changes / copies a user, part IV)
 293  */
 294 if (isset($_REQUEST['delete'])
 295     || (isset($_REQUEST['change_copy']) && $_REQUEST['mode'] < 4)
 296 ) {
 297     $queries = $serverPrivileges->getDataForDeleteUsers($queries);
 298     if (empty($_REQUEST['change_copy'])) {
 299         list($sql_query, $message) = $serverPrivileges->deleteUser($queries);
 300     }
 301 }
 302
 303 /**
 304  * Changes / copies a user, part V
 305  */
 306 if (isset($_REQUEST['change_copy'])) {
 307     $queries = $serverPrivileges->getDataForQueries($queries, $queries_for_display);
 308     $message = Message::success();
 309     $sql_query = join("\n", $queries);
 310 }
 311
 312 /**
 313  * Reloads the privilege tables into memory
 314  */
 315 $message_ret = $serverPrivileges->updateMessageForReload();
 316 if (! is_null($message_ret)) {
 317     $message = $message_ret;
 318     unset($message_ret);
 319 }
 320
 321 /**
 322  * If we are in an Ajax request for Create User/Edit User/Revoke User/
 323  * Flush Privileges, show $message and exit.
 324  */
 325 if ($response->isAjax()
 326     && empty($_REQUEST['ajax_page_request'])
 327     && ! isset($_REQUEST['export'])
 328     && (! isset($_REQUEST['submit_mult']) || $_REQUEST['submit_mult'] != 'export')
 329     && ((! isset($_REQUEST['initial']) || $_REQUEST['initial'] === null
 330     || $_REQUEST['initial'] === '')
 331     || (isset($_REQUEST['delete']) && $_REQUEST['delete'] === __('Go')))
 332     && ! isset($_REQUEST['showall'])
 333     && ! isset($_REQUEST['edit_user_group_dialog'])
 334     && ! isset($_REQUEST['db_specific'])
 335 ) {
 336     $extra_data = $serverPrivileges->getExtraDataForAjaxBehavior(
 337         (isset($password) ? $password : ''),
 338         (isset($sql_query) ? $sql_query : ''),
 339         (isset($hostname) ? $hostname : ''),
 340         (isset($username) ? $username : '')
 341     );
 342
 343     if (! empty($message) && $message instanceof Message) {
 344         $response->setRequestStatus($message->isSuccess());
 345         $response->addJSON('message', $message);
 346         $response->addJSON($extra_data);
 347         exit;
 348     }
 349 }
 350
 351 /**
 352  * Displays the links
 353  */
 354 if (isset($_REQUEST['viewing_mode']) && $_REQUEST['viewing_mode'] == 'db') {
 355     $GLOBALS['db'] = $_REQUEST['db'] = $_REQUEST['checkprivsdb'];
 356
 357     $url_query .= '&amp;goto=db_operations.php';
 358
 359     // Gets the database structure
 360     $sub_part = '_structure';
 361     ob_start();
 362
 363     list(
 364         $tables,
 365         $num_tables,
 366         $total_num_tables,
 367         $sub_part,
 368         $is_show_stats,
 369         $db_is_system_schema,
 370         $tooltip_truename,
 371         $tooltip_aliasname,
 372         $pos
 373     ) = PhpMyAdmin\Util::getDbInfo($db, is_null($sub_part) ? '' : $sub_part);
 374
 375     $content = ob_get_contents();
 376     ob_end_clean();
 377     $response->addHTML($content . "\n");
 378 } else {
 379     if (! empty($GLOBALS['message'])) {
 380         $response->addHTML(PhpMyAdmin\Util::getMessage($GLOBALS['message']));
 381         unset($GLOBALS['message']);
 382     }
 383 }
 384
 385 /**
 386  * Displays the page
 387  */
 388 $response->addHTML(
 389     $serverPrivileges->getHtmlForUserGroupDialog(
 390         isset($username) ? $username : null,
 391         $cfgRelation['menuswork']
 392     )
 393 );
 394
 395 // export user definition
 396 if (isset($_REQUEST['export'])
 397     || (isset($_REQUEST['submit_mult']) && $_REQUEST['submit_mult'] == 'export')
 398 ) {
 399     list($title, $export) = $serverPrivileges->getListForExportUserDefinition(
 400         isset($username) ? $username : null,
 401         isset($hostname) ? $hostname : null
 402     );
 403
 404     unset($username, $hostname, $grants, $one_grant);
 405
 406     if ($response->isAjax()) {
 407         $response->addJSON('message', $export);
 408         $response->addJSON('title', $title);
 409         exit;
 410     } else {
 411         $response->addHTML("<h2>$title</h2>$export");
 412     }
 413 }
 414
 415 if (isset($_REQUEST['adduser'])) {
 416     // Add user
 417     $response->addHTML(
 418         $serverPrivileges->getHtmlForAddUser((isset($dbname) ? $dbname : ''))
 419     );
 420 } elseif (isset($_REQUEST['checkprivsdb'])) {
 421     if (isset($_REQUEST['checkprivstable'])) {
 422         // check the privileges for a particular table.
 423         $response->addHTML(
 424             $serverPrivileges->getHtmlForSpecificTablePrivileges(
 425                 $_REQUEST['checkprivsdb'],
 426                 $_REQUEST['checkprivstable']
 427             )
 428         );
 429     } else {
 430         // check the privileges for a particular database.
 431         $response->addHTML(
 432             $serverPrivileges->getHtmlForSpecificDbPrivileges($_REQUEST['checkprivsdb'])
 433         );
 434     }
 435 } else {
 436     if (isset($dbname) && ! is_array($dbname)) {
 437         $url_dbname = urlencode(
 438             str_replace(
 439                 ['\_', '\%'],
 440                 ['_', '%'],
 441                 $dbname
 442             )
 443         );
 444     }
 445
 446     if (! isset($username)) {
 447         // No username is given --> display the overview
 448         $response->addHTML(
 449             $serverPrivileges->getHtmlForUserOverview($pmaThemeImage, $text_dir)
 450         );
 451     } elseif (!empty($routinename)) {
 452         $response->addHTML(
 453             $serverPrivileges->getHtmlForRoutineSpecificPrivileges(
 454                 $username,
 455                 $hostname,
 456                 $dbname,
 457                 $routinename,
 458                 (isset($url_dbname) ? $url_dbname : '')
 459             )
 460         );
 461     } else {
 462         // A user was selected -> display the user's properties
 463         // In an Ajax request, prevent cached values from showing
 464         if ($response->isAjax()) {
 465             header('Cache-Control: no-cache');
 466         }
 467
 468         $response->addHTML(
 469             $serverPrivileges->getHtmlForUserProperties(
 470                 (isset($dbname_is_wildcard) ? $dbname_is_wildcard : ''),
 471                 (isset($url_dbname) ? $url_dbname : ''),
 472                 $username,
 473                 $hostname,
 474                 (isset($dbname) ? $dbname : ''),
 475                 (isset($tablename) ? $tablename : '')
 476             )
 477         );
 478     }
 479 }
 480
 481 if ((isset($_REQUEST['viewing_mode']) && $_REQUEST['viewing_mode'] == 'server')
 482     && $GLOBALS['cfgRelation']['menuswork']
 483 ) {
 484     $response->addHTML('</div>');
 485 }