From 60f0b83fd836537bc5e53569515c31d8765f11c2 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Sun, 24 Feb 2013 07:28:24 -0500
Subject: [PATCH] - Forgot to use old IP list for two REVOKE operations.
---
server/plugins-available/mysql_clientdb_plugin.inc.php | 91 +++++++++++++++++++++++++++++++++++----------
1 files changed, 70 insertions(+), 21 deletions(-)
diff --git a/server/plugins-available/mysql_clientdb_plugin.inc.php b/server/plugins-available/mysql_clientdb_plugin.inc.php
index 98efd8c..db55759 100644
--- a/server/plugins-available/mysql_clientdb_plugin.inc.php
+++ b/server/plugins-available/mysql_clientdb_plugin.inc.php
@@ -88,9 +88,11 @@
foreach($host_list as $db_host) {
$db_host = trim($db_host);
+ $app->log($action . ' for user ' . $database_user . ' at host ' . $db_host, LOGLEVEL_DEBUG);
+
// check if entry is valid ip address
$valid = true;
- if($db_host == '%') {
+ if($db_host == '%' || $db_host == 'localhost') {
$valid = true;
} elseif(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $db_host)) {
$groups = explode('.', $db_host);
@@ -106,6 +108,7 @@
if($action == 'GRANT') {
if(!$link->query("GRANT " . ($user_read_only ? "SELECT" : "ALL") . " ON ".$link->escape_string($database_name).".* TO '".$link->escape_string($database_user)."'@'$db_host' IDENTIFIED BY PASSWORD '".$link->escape_string($database_password)."';")) $success = false;
+ $app->log("GRANT " . ($user_read_only ? "SELECT" : "ALL") . " ON ".$link->escape_string($database_name).".* TO '".$link->escape_string($database_user)."'@'$db_host' IDENTIFIED BY PASSWORD '".$link->escape_string($database_password)."'; success? " . ($success ? 'yes' : 'no'), LOGLEVEL_DEBUG);
} elseif($action == 'REVOKE') {
if(!$link->query("REVOKE ALL PRIVILEGES ON ".$link->escape_string($database_name).".* FROM '".$link->escape_string($database_user)."'@'$db_host' IDENTIFIED BY PASSWORD '".$link->escape_string($database_password)."';")) $success = false;
} elseif($action == 'DROP') {
@@ -161,6 +164,7 @@
$host_list = '';
if($data['new']['remote_access'] == 'y') {
$host_list = $data['new']['remote_ips'];
+ if($host_list == '') $host_list = '%';
}
if($host_list != '') $host_list .= ',';
$host_list .= 'localhost';
@@ -184,6 +188,9 @@
function db_update($event_name,$data) {
global $app, $conf;
+ // skip processing if database was and is inactive
+ if($data['new']['active'] == 'n' && $data['old']['active'] == 'n') return;
+
if($data['new']['type'] == 'mysql') {
if(!include(ISPC_LIB_PATH.'/mysql_clientdb.conf')) {
$app->log('Unable to open'.ISPC_LIB_PATH.'/mysql_clientdb.conf',LOGLEVEL_ERROR);
@@ -205,9 +212,19 @@
$host_list = '';
if($data['new']['remote_access'] == 'y') {
$host_list = $data['new']['remote_ips'];
+ if($host_list == '') $host_list = '%';
}
if($host_list != '') $host_list .= ',';
$host_list .= 'localhost';
+
+ // REVOKES and DROPS have to be done on old host list, not new host list
+ $old_host_list = '';
+ if($data['old']['remote_access'] == 'y') {
+ $old_host_list = $data['old']['remote_ips'];
+ if($old_host_list == '') $old_host_list = '%';
+ }
+ if($old_host_list != '') $old_host_list .= ',';
+ $old_host_list .= 'localhost';
// Create the database user if database was disabled before
if($data['new']['active'] == 'y' && $data['old']['active'] == 'n') {
@@ -221,13 +238,25 @@
}
} else if($data['new']['active'] == 'n' && $data['old']['active'] == 'y') { // revoke database user, if inactive
if($db_user) {
- if($db_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
- else $this->process_host_list('REVOKE', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $host_list, $link);
+ if($db_user['database_user'] == 'root'){
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ } else {
+ //$this->process_host_list('DROP', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $old_host_list, $link);
+ $this->process_host_list('REVOKE', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $old_host_list, $link);
+ }
}
if($db_ro_user && $data['new']['database_user_id'] != $data['new']['database_ro_user_id']) {
- if($db_ro_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
- else $this->process_host_list('REVOKE', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $host_list, $link);
+ if($db_ro_user['database_user'] == 'root'){
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ } else {
+ //$this->process_host_list('DROP', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $old_host_list, $link);
+ $this->process_host_list('REVOKE', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $old_host_list, $link);
+ }
}
+ // Database is not active, so stop processing here
+ $link->query('FLUSH PRIVILEGES;');
+ $link->close();
+ return;
}
//* selected Users have changed
@@ -235,8 +264,12 @@
if($data['old']['database_user_id'] && $data['old']['database_user_id'] != $data['new']['database_ro_user_id']) {
$old_db_user = $app->db->queryOneRecord("SELECT `database_user`, `database_password` FROM `web_database_user` WHERE `database_user_id` = '" . intval($data['old']['database_user_id']) . "'");
if($old_db_user) {
- if($old_db_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
- else $this->process_host_list('REVOKE', $data['new']['database_name'], $old_db_user['database_user'], $old_db_user['database_password'], $host_list, $link);
+ if($old_db_user['database_user'] == 'root'){
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ } else {
+ //$this->process_host_list('DROP', $data['new']['database_name'], $old_db_user['database_user'], $old_db_user['database_password'], $old_host_list, $link);
+ $this->process_host_list('REVOKE', $data['new']['database_name'], $old_db_user['database_user'], $old_db_user['database_password'], $old_host_list, $link);
+ }
}
}
if($db_user) {
@@ -248,8 +281,12 @@
if($data['old']['database_ro_user_id'] && $data['old']['database_ro_user_id'] != $data['new']['database_user_id']) {
$old_db_user = $app->db->queryOneRecord("SELECT `database_user`, `database_password` FROM `web_database_user` WHERE `database_user_id` = '" . intval($data['old']['database_ro_user_id']) . "'");
if($old_db_user) {
- if($old_db_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
- else $this->process_host_list('REVOKE', $data['new']['database_name'], $old_db_user['database_user'], $old_db_user['database_password'], $host_list, $link);
+ if($old_db_user['database_user'] == 'root'){
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ } else {
+ //$this->process_host_list('DROP', $data['new']['database_name'], $old_db_user['database_user'], $old_db_user['database_password'], $old_host_list, $link);
+ $this->process_host_list('REVOKE', $data['new']['database_name'], $old_db_user['database_user'], $old_db_user['database_password'], $old_host_list, $link);
+ }
}
}
if($db_ro_user && $data['new']['database_user_id'] != $data['new']['database_ro_user_id']) {
@@ -267,8 +304,11 @@
//* set new priveliges
if($data['new']['remote_access'] == 'y') {
if($db_user) {
- if($db_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
- else $this->process_host_list('GRANT', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['new']['remote_ips'], $link);
+ if($db_user['database_user'] == 'root'){
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ } else {
+ $this->process_host_list('GRANT', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['new']['remote_ips'], $link);
+ }
}
if($db_ro_user && $data['new']['database_user_id'] != $data['new']['database_ro_user_id']) {
if($db_ro_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
@@ -276,12 +316,20 @@
}
} else {
if($db_user) {
- if($db_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
- else $this->process_host_list('REVOKE', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['new']['remote_ips'], $link);
+ if($db_user['database_user'] == 'root'){
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ } else {
+ //$this->process_host_list('DROP', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['old']['remote_ips'], $link);
+ $this->process_host_list('REVOKE', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['old']['remote_ips'], $link);
+ }
}
if($db_ro_user && $data['new']['database_user_id'] != $data['new']['database_ro_user_id']) {
- if($db_ro_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
- else $this->process_host_list('REVOKE', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $data['new']['remote_ips'], $link);
+ if($db_ro_user['database_user'] == 'root'){
+ $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
+ } else {
+ //$this->process_host_list('DROP', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $data['old']['remote_ips'], $link);
+ $this->process_host_list('REVOKE', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $data['old']['remote_ips'], $link);
+ }
}
}
$app->log('Changing MySQL remote access privileges for database: '.$data['new']['database_name'],LOGLEVEL_DEBUG);
@@ -290,18 +338,20 @@
if($db_user) {
if($db_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
else {
- $this->process_host_list('REVOKE', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['old']['remote_ips'], $link);
+ //$this->process_host_list('DROP', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['old']['remote_ips'], $link);
+ $this->process_host_list('REVOKE', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['old']['remote_ips'], $link);
$this->process_host_list('GRANT', $data['new']['database_name'], $db_user['database_user'], $db_user['database_password'], $data['new']['remote_ips'], $link);
}
}
if($db_ro_user && $data['new']['database_user_id'] != $data['new']['database_ro_user_id']) {
if($db_ro_user['database_user'] == 'root') $app->log('User root not allowed for Client databases',LOGLEVEL_WARNING);
else {
+ //$this->process_host_list('DROP', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $data['old']['remote_ips'], $link);
$this->process_host_list('REVOKE', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $data['old']['remote_ips'], $link);
$this->process_host_list('GRANT', $data['new']['database_name'], $db_ro_user['database_user'], $db_ro_user['database_password'], $data['new']['remote_ips'], $link, '', true);
}
}
- }
+ }
$link->query('FLUSH PRIVILEGES;');
@@ -361,7 +411,7 @@
}
- if($data['old']['database_user'] == $data['new']['database_user'] && $data['old']['database_password'] == $data['new']['database_password']) {
+ if($data['old']['database_user'] == $data['new']['database_user'] && ($data['old']['database_password'] == $data['new']['database_password'] || $data['new']['database_password'] == '')) {
return;
}
@@ -387,10 +437,9 @@
$app->log('Renaming MySQL user: '.$data['old']['database_user'].' to '.$data['new']['database_user'],LOGLEVEL_DEBUG);
}
- if($data['new']['database_password'] != $data['old']['database_password']) {
- $db_host = 'localhost';
+ if($data['new']['database_password'] != $data['old']['database_password'] && $data['new']['database_password'] != '') {
$link->query("SET PASSWORD FOR '".$link->escape_string($data['new']['database_user'])."'@'$db_host' = '".$link->escape_string($data['new']['database_password'])."';");
- $app->log('Changing MySQL user password for: '.$data['new']['database_user'],LOGLEVEL_DEBUG);
+ $app->log('Changing MySQL user password for: '.$data['new']['database_user'].'@'.$db_host,LOGLEVEL_DEBUG);
}
}
--
Gitblit v1.9.1