From d87f76019fc231ec20d95126a7fee0487e7be5f0 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Tue, 14 Aug 2012 10:56:20 -0400
Subject: [PATCH] - Added new web folder named private to web folder layout. The folder is intended to store data that shall not be visible in the web directory, it is owned by the user of the web. - Changed ownership of web root directory to root user in all security modes to prevent symlink attacks. - Apache log files are now owned by user root. - Improved functions in system library.
---
interface/web/sites/database_phpmyadmin.php | 54 +++++++++++++++++++++---------------------------------
1 files changed, 21 insertions(+), 33 deletions(-)
diff --git a/interface/web/sites/database_phpmyadmin.php b/interface/web/sites/database_phpmyadmin.php
index 481a654..e0ab324 100644
--- a/interface/web/sites/database_phpmyadmin.php
+++ b/interface/web/sites/database_phpmyadmin.php
@@ -34,7 +34,9 @@
//* Check permissions for module
$app->auth->check_module_permissions('sites');
-/* get the id of the database (must be int!) */
+/*
+ * get the id of the database (must be int!)
+ */
if (!isset($_GET['id'])){
die ("No DB selected!");
}
@@ -43,48 +45,34 @@
/*
* Get the data to connect to the database
*/
-$dbData = $app->db->queryOneRecord(
- "SELECT sys_userid, sys_groupid, sys_perm_user, sys_perm_group, server_id, database_name, database_user, database_password FROM web_database WHERE database_id = " .
- $databaseId);
-
-/*
- * We also need the data of the server
- */
+$dbData = $app->db->queryOneRecord("SELECT server_id FROM web_database WHERE database_id = " . $databaseId);
$serverId = intval($dbData['server_id']);
if ($serverId == 0){
die ("No DB-Server found!");
}
-
$serverData = $app->db->queryOneRecord(
"SELECT server_name FROM server WHERE server_id = " .
$serverId);
+
+$app->uses('getconf');
+$global_config = $app->getconf->get_global_config('sites');
+$web_config = $app->getconf->get_server_config($serverId,'web');
/*
- * Check if the user has the right to open phpmyadmin with this database
- * (we will check only users, not admins)
+ * We only redirect to the login-form, so there is no need, to check any rights
*/
-if($_SESSION["s"]["user"]["typ"] == 'user') {
- /* Get the group of the client */
- $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
- /* compare both */
- if ($dbData['sys_groupid'] != $client_group_id){
- die ("You don't have the right to access this db!");
+
+if($global_config['phpmyadmin_url'] != '') {
+ $phpmyadmin_url = $global_config['phpmyadmin_url'];
+ $phpmyadmin_url = str_replace('[SERVERNAME]',$serverData['server_name'],$phpmyadmin_url);
+ header('Location:'.$phpmyadmin_url);
+} else {
+ isset($_SERVER['HTTPS'])? $http = 'https' : $http = 'http';
+ if($web_config['server_type'] == 'nginx') {
+ header('location:' . $http . '://' . $serverData['server_name'] . ':8081/phpmyadmin');
+ } else {
+ header('location:' . $http . '://' . $serverData['server_name'] . '/phpmyadmin');
}
}
-
-/*
- * Now generate the login-Form
- */
-isset($_SERVER['HTTPS'])? $http = 'https' : $http = 'http';
-echo '
-starting phpMyAdmin...<br>
-<form method="post" action="' . $http . '://' . $serverData['server_name'] . '/phpmyadmin/index.php" name="login_form" target="_top" style="visibility:hidden">
- <input type="text" name="pma_username" id="input_username" value="' . $dbData['database_user'] . '" />
- <input type="password" name="pma_password" id="input_password" value="' . $dbData['database_password'] . '" size="24" class="textfield" />
-</form>
-<script type="text/javascript" language="javascript">
-<!--
-document.forms["login_form"].submit();
-//-->
-</script>';
+exit;
?>
\ No newline at end of file
--
Gitblit v1.9.1