kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Filter db information searches to limit results to databases owned by current user

This commit is contained in:
Kienan Stewart 2019-09-25 17:05:57 -04:00 committed by Camille Lafitte
parent 20db4fceba
commit 6a3af13817
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
bureau/class/m_mysql.php
View File

@ -592,9 +592,22 @@ class m_mysql {
function get_defaultsparam($dbn) {
global $db, $msg, $cuid;
global $db, $mem, $msg, $cuid;
$msg->debug("mysql", "getdefaults");
$login=$mem->user["login"];
# The first condition allows us to access our "default" database, where the
# name matches exactly our login name. The second condition allows us to
# access the other databases suffixed with "_.*"
# The condition is split into two here to avoid the following situation:
# * Given two accounts "example" and "exampleb", with defaults (un-suffixed)
# databases, the user of account "example" could read the parameter information
# for "exampleb".
if (($dbn != $login) && !preg_match("#^$login\_#", $dbn)) {
$msg->raise("ERROR", "mysql",_("Database not found")." (5)");
return false;
}
$dbu = $dbn;
$r = array();
$dbn = str_replace('_', '\_', $dbn);
@ -624,7 +637,7 @@ class m_mysql {
}
}
if (!$db->query("SELECT name,password from dbusers where name= ? ;", array($dbu))) {
if (!$db->query("SELECT name,password from dbusers where name= ? and uid= ? ;", array($dbu, $cuid))) {
$msg->raise("ERROR", "mysql",_("Database not found")." (3)");
return false;
}