Revision: 1130
http://mrbs.svn.sourceforge.net/mrbs/?rev=1130&view=rev
Author: cimorrison
Date: 2009-06-25 19:36:34 +0000 (Thu, 25 Jun 2009)
Log Message:
-----------
Changed the authentication scheme for database upgrades so that instead of
requiring the user to be logged in as an MRBS admin, the system now asks for a
database username and password with admin rights. This has the advantages
that (a) the database username and password supplied in the config file need
only have ordinary user rights* and (b) it prevents the Catch 22 situation when
upgrading the users table (you can't upgrade the database until you've logged
in as an admin, but you can't log in as an admin until you've upgraded the
database).
[*Note though that if using the db authentication scheme, the users table is
still altered using the standard database username supplied in the config file.
This still needs to be changed to use the standard upgrade mechanism]
Modified Paths:
--------------
mrbs/trunk/web/dbsys.inc
mrbs/trunk/web/lang.en
mrbs/trunk/web/mrbs.css.php
mrbs/trunk/web/mysql.inc
mrbs/trunk/web/mysqli.inc
mrbs/trunk/web/pgsql.inc
mrbs/trunk/web/upgrade.inc
Modified: mrbs/trunk/web/dbsys.inc
===================================================================
--- mrbs/trunk/web/dbsys.inc 2009-06-24 15:47:32 UTC (rev 1129)
+++ mrbs/trunk/web/dbsys.inc 2009-06-25 19:36:34 UTC (rev 1130)
@@ -564,6 +564,44 @@
}
+// Close a database connection that was previously opened by sql_connect()
+function sql_close($handle)
+{
+ $system = $handle['system'];
+ require_once "$system.inc";
+ $f = "sql_${system}_close";
+ $f($handle['connection']);
+}
+
+
+// Get a database username and password
+function db_get_userpass()
+{
+ global $PHP_SELF;
+ print_header(0, 0, 0, 0, "");
+ ?>
+ <form class="form_general" id="db_logon" method="post" action="<?php echo
htmlspecialchars(basename($PHP_SELF)) ?>">
+ <fieldset>
+ <legend><?php echo get_vocab("database_login") ?></legend>
+ <div>
+ <label for="form_username">Database username</label>
+ <input id="form_username" name="form_username" type="text">
+ </div>
+ <div>
+ <label for="form_password">Database password</label>
+ <input id="form_password" name="form_password" type="password">
+ </div>
+ <div id="db_logon_submit">
+ <input class="submit" type="submit" value=" <?php echo
get_vocab('login') ?>">
+ </div>
+ </fieldset>
+ </form>
+ <?php
+ // Print footer and exit
+ print_footer(TRUE);
+}
+
+
//////////////////////////////////////////
// Connect to the configured MRBS database
@@ -594,36 +632,52 @@
// Upgrade needed
require_once "functions.inc";
- require_once "mrbs_auth.inc";
+ require_once "upgrade.inc";
print_header(0,0,0,0,"");
+
+ // We need to open a connection to the database with a database
+ // username that has admin rights.
+ echo "<p class=\"error\">" . get_vocab("upgrade_required") . "</p>\n";
- $user = getUserName();
- if (isset($user) && (authGetUserLevel($user) >= 2))
+ while (empty($admin_handle))
{
- require_once "upgrade.inc";
- // Do any MRBS upgrades first
- if ($current_db_schema_version < $db_schema_version)
+ $db_admin_username = get_form_var('form_username', 'string');
+ $db_admin_password = get_form_var('form_password', 'string');
+ if (!isset($db_admin_username) || !isset($db_admin_password))
{
- upgrade_database(FALSE, $current_db_schema_version, $db_schema_version);
+ // Get a username and password if we haven't got them
+ echo "<p>" . get_vocab("supply_userpass") . "</p>\n";
+ echo "<p>" . get_vocab("contact_admin") . "</p>\n";
+ db_get_userpass();
}
- // Then any local upgrades
- if ($current_local_db_schema_version < $local_db_schema_version)
+ else
{
- upgrade_database(TRUE, $current_local_db_schema_version,
$local_db_schema_version);
+ // Turn off error reporting for the database connection because
+ // we don't want to see the system error reports if the user
+ // supplies an incorrect username and password.
+ $old_error_reporting = error_reporting(0);
+ $admin_handle = sql_connect($dbsys, $db_host, $db_admin_username,
$db_admin_password, $db_database, 0);
+ error_reporting($old_error_reporting); // Turn error reporting back on
}
+ }
- print get_vocab("upgrade_completed").
- ". <a href=\"./\">".
- get_vocab("returncal")."</a>.";
+ // Do any MRBS upgrades first
+ if ($current_db_schema_version < $db_schema_version)
+ {
+ upgrade_database(FALSE, $current_db_schema_version, $db_schema_version);
}
- else
+ // Then any local upgrades
+ if ($current_local_db_schema_version < $local_db_schema_version)
{
- print "<div class=\"error\">
- ".get_vocab("login_for_upgrade").".
-</div>\n";
- authGet();
+ upgrade_database(TRUE, $current_local_db_schema_version,
$local_db_schema_version);
}
+
+ // close the database connection that has admin rights
+ sql_close($admin_handle);
+ echo "<p>" . get_vocab("upgrade_completed") . "</p>\n";
+ echo "<a href=\"./\">" . get_vocab("returncal") . "</a>.";
+
print_footer(TRUE);
}
Modified: mrbs/trunk/web/lang.en
===================================================================
--- mrbs/trunk/web/lang.en 2009-06-24 15:47:32 UTC (rev 1129)
+++ mrbs/trunk/web/lang.en 2009-06-25 19:36:34 UTC (rev 1130)
@@ -134,10 +134,13 @@
$vocab["logoff"] = "Log Off";
// Database upgrade code
-$vocab["login_for_upgrade"] = "Please login as an administrator to
perform a required database upgrade";
+$vocab["database_login"] = "Database login";
+$vocab["upgrade_required"] = "The database needs to be upgraded.";
+$vocab["supply_userpass"] = "Please supply a database username and
password that has admin rights.";
+$vocab["contact_admin"] = "If you are not the MRBS administrator
please contact $mrbs_admin.";
$vocab["upgrade_to_version"] = "Upgrading to database version";
$vocab["upgrade_to_local_version"] = "Upgrading to database local version";
-$vocab["upgrade_completed"] = "Database upgrade completed";
+$vocab["upgrade_completed"] = "Database upgrade completed.";
// User access levels
$vocab["level_0"] = "none";
Modified: mrbs/trunk/web/mrbs.css.php
===================================================================
--- mrbs/trunk/web/mrbs.css.php 2009-06-24 15:47:32 UTC (rev 1129)
+++ mrbs/trunk/web/mrbs.css.php 2009-06-25 19:36:34 UTC (rev 1130)
@@ -447,6 +447,12 @@
$logon_form_min_width = $logon_left_col_max_width +
$logon_input_width + $general_gap;
$logon_form_min_width = number_format($logon_form_min_width, 1, '.',
''); // get rid of any commas
+// Specific to the "db_logon" form
+$db_logon_left_col_max_width = '12'; // em
+$db_logon_input_width = '12'; // em
+$db_logon_form_min_width = $db_logon_left_col_max_width +
$db_logon_input_width + $general_gap;
+$db_logon_form_min_width = number_format($db_logon_form_min_width, 1,
'.', ''); // get rid of any commas
+
// Specific to the "edit_area_room" form
$edit_area_room_left_col_max_width = '14'; // em
$edit_area_room_input_width = '12'; // em
@@ -461,6 +467,7 @@
.search form.form_general {min-width: <?php echo
$search_form_min_width ?>em}
.edit_area_room form.form_general {min-width: <?php echo
$edit_area_room_form_min_width ?>em}
form.form_general#logon {min-width: <?php echo $logon_form_min_width
?>em}
+form.form_general#db_logon {min-width: <?php echo $db_logon_form_min_width
?>em}
.form_general div {float: left; clear: left; width: 100%}
.form_general div div {float: none; clear: none; width: auto}
@@ -482,6 +489,7 @@
.search .form_general label {max-width: <?php echo
$search_left_col_max_width ?>em}
.edit_area_room .form_general label {max-width: <?php echo
$edit_area_room_left_col_max_width ?>em}
#logon label {max-width: <?php echo
$logon_left_col_max_width ?>em}
+#db_logon label {max-width: <?php echo
$db_logon_left_col_max_width ?>em}
.form_general .group label {clear: none; width: auto; max-width: 100%;
font-weight: normal; overflow: visible}
@@ -494,6 +502,7 @@
.search .form_general input {width: <?php echo $search_input_width
?>em}
.edit_area_room .form_general input {width: <?php echo
$edit_area_room_input_width ?>em}
#logon input {width: <?php echo $logon_input_width ?>em}
+#db_logon input {width: <?php echo $db_logon_input_width ?>em}
.form_general .group input {clear: none; width: auto}
/* font family and size needs to be the same for input and textarea as their
widths are defined in ems */
@@ -513,7 +522,8 @@
div#report_submit {width: <?php echo $general_left_col_width ?>%;
max-width: <?php echo $report_left_col_max_width ?>em}
div#search_submit {width: <?php echo $general_left_col_width ?>%;
max-width: <?php echo $search_left_col_max_width ?>em}
div#logon_submit {width: <?php echo $general_left_col_width ?>%;
max-width: <?php echo $logon_left_col_max_width ?>em}
-#edit_entry_submit input, #report_submit input, #search_submit input,
#logon_submit input
+div#db_logon_submit {width: <?php echo $general_left_col_width ?>%;
max-width: <?php echo $db_logon_left_col_max_width ?>em}
+#edit_entry_submit input, #report_submit input, #search_submit input,
#logon_submit input, #db_logon_submit input
{position: relative; left: 100%; width: auto}
div#edit_area_room_submit_back {float: left; width: <?php echo
$general_left_col_width ?>%; max-width: <?php echo
$edit_area_room_left_col_max_width ?>em}
div#edit_area_room_submit_save {float: left; clear: none; width: auto}
Modified: mrbs/trunk/web/mysql.inc
===================================================================
--- mrbs/trunk/web/mysql.inc 2009-06-24 15:47:32 UTC (rev 1129)
+++ mrbs/trunk/web/mysql.inc 2009-06-25 19:36:34 UTC (rev 1130)
@@ -372,4 +372,11 @@
$db_database, $persist);
}
+
+// Close a connection
+function sql_mysql_close($connection)
+{
+ mysql_close($connection);
+}
+
?>
Modified: mrbs/trunk/web/mysqli.inc
===================================================================
--- mrbs/trunk/web/mysqli.inc 2009-06-24 15:47:32 UTC (rev 1129)
+++ mrbs/trunk/web/mysqli.inc 2009-06-25 19:36:34 UTC (rev 1130)
@@ -406,4 +406,11 @@
$db_database, $persist);
}
+
+// Close a connection
+function sql_mysqli_close($connection)
+{
+ mysqli_close($connection);
+}
+
?>
Modified: mrbs/trunk/web/pgsql.inc
===================================================================
--- mrbs/trunk/web/pgsql.inc 2009-06-24 15:47:32 UTC (rev 1129)
+++ mrbs/trunk/web/pgsql.inc 2009-06-25 19:36:34 UTC (rev 1130)
@@ -418,4 +418,11 @@
$db_database, $persist);
}
+
+// Close a connection
+function sql_pgsql_close($connection)
+{
+ pg_close($connection);
+}
+
?>
Modified: mrbs/trunk/web/upgrade.inc
===================================================================
--- mrbs/trunk/web/upgrade.inc 2009-06-24 15:47:32 UTC (rev 1129)
+++ mrbs/trunk/web/upgrade.inc 2009-06-25 19:36:34 UTC (rev 1130)
@@ -56,7 +56,7 @@
if ($res == -1)
{
// No need to localise, should hopefully never happen
- print "Tried:<pre>
+ print "<br>Tried:<pre>
".htmlspecialchars($command)."
</pre> and got error:<pre>
".sql_error()."
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
