maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

Merge pull request #59 from madmuffin1/mysqlrevoke

Browse Source 
Patching Revoking Privileges (both when deleting user and disabling user), fixes #1108
This commit is contained in:
Michael Kaufmann
2013-03-05 23:40:45 -08:00
parent e7a0508989 3657cf7cc6
commit 2c41ea48c1
1 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
admin_customers.php
View File

@@ -193,12 +193,17 @@ if($page == 'customers'
$last_dbserver = $row_database['dbserver'];
}
foreach(array_unique(explode(',', $settings['system']['mysql_access_host'])) as $mysql_access_host)
if(mysql_get_server_info() < '5.0.2') {
// failsafe if user has been deleted manually (requires MySQL 4.1.2+)
$db_root->query('REVOKE ALL PRIVILEGES, GRANT OPTION FROM \'' . $db_root->escape($row_database['databasename']) .'\'',false,true);
}
$host_res = $db_root->query("SELECT `Host` FROM `mysql`.`user` WHERE `User`='" . $db_root->escape($row_database['databasename']) . "'");
while($host = $db_root->fetch_array($host_res))
{
$mysql_access_host = trim($mysql_access_host);
$db_root->query('REVOKE ALL PRIVILEGES ON * . * FROM `' . $db_root->escape($row_database['databasename']) . '`@`' . $db_root->escape($mysql_access_host) . '`',false,true);
$db_root->query('REVOKE ALL PRIVILEGES ON `' . str_replace('_', '\_', $db_root->escape($row_database['databasename'])) . '` . * FROM `' . $db_root->escape($row_database['databasename']) . '`@`' . $db_root->escape($mysql_access_host) . '`',false,true);
$db_root->query('DELETE FROM `mysql`.`user` WHERE `User` = "' . $db_root->escape($row_database['databasename']) . '" AND `Host` = "' . $db_root->escape($mysql_access_host) . '"');
// as of MySQL 5.0.2 this also revokes privileges. (requires MySQL 4.1.2+)
$db_root->query('DROP USER \'' . $db_root->escape($row_database['databasename']). '\'@\'' . $db_root->escape($host['Host']) . '\'', false, true);
}
$db_root->query('DROP DATABASE IF EXISTS `' . $db_root->escape($row_database['databasename']) . '`');
@@ -1236,8 +1241,8 @@ if($page == 'customers'
/* Prevent access, if deactivated */
if($deactivated)
{
$db_root->query('REVOKE ALL PRIVILEGES ON * . * FROM `' . $db_root->escape($row_database['databasename']) . '`@`' . $db_root->escape($mysql_access_host) . '`');
$db_root->query('REVOKE ALL PRIVILEGES ON `' . str_replace('_', '\_', $db_root->escape($row_database['databasename'])) . '` . * FROM `' . $db_root->escape($row_database['databasename']) . '`@`' . $db_root->escape($mysql_access_host) . '`');
// failsafe if user has been deleted manually (requires MySQL 4.1.2+)
$db_root->query('REVOKE ALL PRIVILEGES, GRANT OPTION FROM \'' . $db_root->escape($row_database['databasename']) .'\'',false,true);
}
else /* Otherwise grant access */
{