[Koha-bugs] [Bug 27303] New: Behaviour depends on DB user permissions
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Dec 23 16:39:37 CET 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27303
Bug ID: 27303
Summary: Behaviour depends on DB user permissions
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: Installation and upgrade (command-line installer)
Assignee: koha-bugs at lists.koha-community.org
Reporter: tomascohen at gmail.com
QA Contact: testopia at bugs.koha-community.org
I was writing a helper method to check if a table is a view, for the merger of
'reserves' and 'old_reserves' into 'holds', and found that running things like
[1]:
my $sth = $dbh->prepare("
SELECT COUNT( * ) AS count
FROM information_schema.COLUMNS
WHERE COLUMN_NAME = 'reserve_id'
AND (
TABLE_NAME LIKE 'reserves'
OR
TABLE_NAME LIKE 'old_reserves'
)
");
Will give different results depending on the user permissions. So if (for some
reason) the sysadmin sets two Koha instances on the same DB server, and the
user has more privileges than expected, it will count things from databases
other than those of the running instance.
In the case of the views this was easy to spot:
root at kohadevbox:misc4dev(master)$ mysql -hdb -ppassword
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 232
Server version: 10.3.27-MariaDB-1:10.3.27+maria~focal mariadb.org binary
distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SELECT TABLE_SCHEMA, TABLE_NAME FROM
information_schema.tables WHERE TABLE_NAME='reserves';
+--------------+------------+
| TABLE_SCHEMA | TABLE_NAME |
+--------------+------------+
| koha_test | reserves |
| koha_kohadev | reserves |
+--------------+------------+
2 rows in set (0.02 sec)
What we need to do, is adding the database name on the WHERE condition, like:
my $db_name = C4::Context->config('database');
...
WHERE TABLE_SCHEMA=$db_name;
[1] taken from updatedatabase.pl:5573~5582
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list