[Koha-bugs] [Bug 27303] New: Behaviour depends on DB user permissions

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Dec 23 16:39:37 CET 2020 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27303

            Bug ID: 27303
           Summary: Behaviour depends on DB user permissions
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5 - low
         Component: Installation and upgrade (command-line installer)
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: tomascohen at gmail.com
        QA Contact: testopia at bugs.koha-community.org

I was writing a helper method to check if a table is a view, for the merger of
'reserves' and 'old_reserves' into 'holds', and found that running things like
[1]:

    my $sth = $dbh->prepare("
        SELECT COUNT( * ) AS count
        FROM information_schema.COLUMNS
        WHERE COLUMN_NAME =  'reserve_id'
        AND (
          TABLE_NAME LIKE  'reserves'
          OR
          TABLE_NAME LIKE  'old_reserves'
        )
    ");

Will give different results depending on the user permissions. So if (for some
reason) the sysadmin sets two Koha instances on the same DB server, and the
user has more privileges than expected, it will count things from databases
other than those of the running instance.

In the case of the views this was easy to spot:

root at kohadevbox:misc4dev(master)$ mysql -hdb -ppassword
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 232
Server version: 10.3.27-MariaDB-1:10.3.27+maria~focal mariadb.org binary
distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT TABLE_SCHEMA, TABLE_NAME FROM
information_schema.tables WHERE TABLE_NAME='reserves';
+--------------+------------+
| TABLE_SCHEMA | TABLE_NAME |
+--------------+------------+
| koha_test    | reserves   |
| koha_kohadev | reserves   |
+--------------+------------+
2 rows in set (0.02 sec)


What we need to do, is adding the database name on the WHERE condition, like:

my $db_name = C4::Context->config('database');
...
   WHERE TABLE_SCHEMA=$db_name;


[1] taken from updatedatabase.pl:5573~5582

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.

More information about the Koha-bugs mailing list