Hi List!
I suggest to use the attached version of "common.lib.php3" for the plain 2.2.1 release. It does not contains many changes (it's just a kind of "temporary" improvement") but it allows: - to fix bug #472201(denied to mysql user db. AdvAuth failed.) that is a true problem indeed: requiring each user to have "select" privilege on the "mysql" db is not a so good idea; - to really skip all the "get dbs list from the mysql db" if $cfgServers[i]['only_db'] is set.
Could you try it and tell me what your opinions about it are?
Thanks, Loïc
Hi Loïc and List,
before I test this new common.lib, I would like to understand something: for bug 472201, I guess the user was trying to use advanced auth without an administrative user/password. So I suggested that he should use normal auth. This is not a bug. We know that we should develop a better auth system but it currently works, even for users that don't have access to the mysql.* tables. But 2.2.1 is at RC stage, this is not the time to modify this, IMHO.
Loïc a écrit :
Hi List!
I suggest to use the attached version of "common.lib.php3" for the plain 2.2.1 release. It does not contains many changes (it's just a kind of "temporary" improvement") but it allows:
- to fix bug #472201(denied to mysql user db. AdvAuth failed.) that is a true problem indeed: requiring each user to have "select" privilege on the "mysql" db is not a so good idea;
- to really skip all the "get dbs list from the mysql db" if $cfgServers[i]['only_db'] is set.
Could you try it and tell me what your opinions about it are?
Thanks, Loïc
Name: common.lib.tar.gzcommon.lib.tar.gz Type: WinRAR archive (application/x-compressed) Encoding: base64
Loïc a écrit :
Hi List!
I suggest to use the attached version of "common.lib.php3" for the plain 2.2.1 release. It does not contains many changes (it's just a kind of "temporary" improvement") but it allows:
- to fix bug #472201(denied to mysql user db. AdvAuth failed.) that is a true problem indeed: requiring each user to have "select" privilege on the "mysql" db is not a so good idea;
Ok, your new common.lib.php3 removes the need for stduser/stdpass. It works well here. Good work!
You must be aware that there is a difference between this 2.2.1 and 2.2.0 regarding the display of the Create Database box. A user which only has a create priv on a non-existant db, would not get the box. I don't know if this is important, because I hope that sysadmins will use this setting:
$cfgAllowUserDropDatabase = FALSE;
so the possibility of users deleting their own db and then wanting to recreate it is reduced.
I would be ready to accept this minor problem because the patch adds security and removes the stduser constraint.
- to really skip all the "get dbs list from the mysql db" if $cfgServers[i]['only_db'] is set.
Seems to work ok. A small point: I lose the Logout link when only_db is set.
Could you try it and tell me what your opinions about it are?
Thanks, Loïc
Name: common.lib.tar.gzcommon.lib.tar.gz Type: Unix Tape Archive (application/x-tar) Encoding: base64
-
Loïc -
Marc Delisle -
Marc Delisle