From be54aea5115bbfcc5d91de846879126417cacdbd Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Thu, 12 Oct 2017 14:59:05 +0200 Subject: [PATCH] =?utf8?q?Datenbank=20anlegen:=20Super-User-Rechte=20abfra?= =?utf8?q?gen,=20sofern=20n=C3=B6tig?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- SL/Controller/Admin.pm | 63 +++++++++++++++++++- SL/DBUtils.pm | 7 +++ SL/User.pm | 2 +- locale/de/all | 3 + templates/webpages/admin/create_dataset.html | 19 ++++++ 5 files changed, 90 insertions(+), 4 deletions(-) diff --git a/SL/Controller/Admin.pm b/SL/Controller/Admin.pm index 3126b4dca..9937c5bab 100644 --- a/SL/Controller/Admin.pm +++ b/SL/Controller/Admin.pm @@ -12,6 +12,7 @@ use SL::Common (); use SL::DB::AuthUser; use SL::DB::AuthGroup; use SL::DB::Printer; +use SL::DBUtils (); use SL::Helper::Flash; use SL::Locale::String qw(t8); use SL::System::InstallationLock; @@ -401,19 +402,24 @@ sub action_create_dataset_login { sub action_create_dataset { my ($self) = @_; - $self->create_dataset_form; + + my %superuser = $self->check_database_superuser_privileges(no_credentials_not_an_error => 1); + $self->create_dataset_form(superuser => \%superuser); } sub action_do_create_dataset { my ($self) = @_; + my %superuser = $self->check_database_superuser_privileges; + my @errors; push @errors, t8("Dataset missing!") if !$::form->{db}; push @errors, t8("Default currency missing!") if !$::form->{defaultcurrency}; + push @errors, $superuser{error} if !$superuser{have_privileges} && $superuser{error}; if (@errors) { flash('error', @errors); - return $self->create_dataset_form; + return $self->create_dataset_form(superuser => \%superuser); } $::form->{encoding} = 'UNICODE'; @@ -645,7 +651,7 @@ sub create_dataset_form { $::form->{feature_eurechnung} = $defaults->feature_eurechnung(1); $::form->{feature_ustva} = $defaults->feature_ustva(1); - $self->render('admin/create_dataset', title => (t8('Database Administration') . " / " . t8('Create Dataset'))); + $self->render('admin/create_dataset', title => (t8('Database Administration') . " / " . t8('Create Dataset')), superuser => $params{superuser}); } sub delete_dataset_form { @@ -697,5 +703,56 @@ sub is_user_used_for_task_server { return join ', ', sort_by { lc } map { $_->name } @{ SL::DB::Manager::AuthClient->get_all(where => [ task_server_user_id => $user->id ]) }; } +sub check_database_superuser_privileges { + my ($self, %params) = @_; + + my %dbconnect_form = %{ $::form }; + my %result = ( + username => $dbconnect_form{dbuser}, + password => $dbconnect_form{dbpasswd}, + ); + + my $check_privileges = sub { + my $dbh = SL::DBConnect->connect($dbconnect_form{dbconnect}, $result{username}, $result{password}, SL::DBConnect->get_options); + return (error => $::locale->text('The credentials (username & password) for connecting database are wrong.')) if !$dbh; + + my $is_superuser = SL::DBUtils::role_is_superuser($dbh, $result{username}); + + $dbh->disconnect; + + return (have_privileges => $is_superuser); + }; + + User::dbconnect_vars(\%dbconnect_form, $dbconnect_form{dbdefault}); + + %result = ( + %result, + $check_privileges->(), + ); + + if (!$result{have_privileges}) { + $result{username} = $::form->{database_superuser_user}; + $result{password} = $::form->{database_superuser_password}; + + if ($::form->{database_superuser_user}) { + %result = ( + %result, + $check_privileges->(), + ); + } + } + + if ($result{have_privileges}) { + $::auth->set_session_value(database_superuser_username => $result{username}, database_superuser_password => $result{password}); + return %result; + } + + $::auth->delete_session_value(qw(database_superuser_username database_superuser_password)); + + return () if !$::form->{database_superuser_user} && $params{no_credentials_not_an_error}; + return (%result, error => $::locale->text('No superuser credentials were entered.')) if !$::form->{database_superuser_user}; + return %result if $result{error}; + return (%result, error => $::locale->text('The database user \'#1\' does not have superuser privileges.', $result{username})); +} 1; diff --git a/SL/DBUtils.pm b/SL/DBUtils.pm index 54cf7da17..c9c70c95a 100644 --- a/SL/DBUtils.pm +++ b/SL/DBUtils.pm @@ -392,6 +392,13 @@ sub like { return "%" . SL::Util::trim($string // '') . "%"; } +sub role_is_superuser { + my ($dbh, $login) = @_; + my ($is_superuser) = $dbh->selectrow_array(qq|SELECT usesuper FROM pg_user WHERE usename = ?|, undef, $login); + + return $is_superuser; +} + 1; diff --git a/SL/User.pm b/SL/User.pm index a271e77df..68fd2c520 100644 --- a/SL/User.pm +++ b/SL/User.pm @@ -130,7 +130,7 @@ sub _handle_superuser_privileges { my $dbh = SL::DBConnect->connect($dbconnect_form{dbconnect}, $dbconnect_form{dbuser}, $dbconnect_form{dbpasswd}, SL::DBConnect->get_options); return (%result, error => $::locale->text('The credentials (username & password) for connecting database are wrong.')) if !$dbh; - my ($is_superuser) = $dbh->selectrow_array(qq|SELECT usesuper FROM pg_user WHERE usename = ?|, undef, $dbconnect_form{dbuser}); + my $is_superuser = SL::DBUtils::role_is_superuser($dbh, $dbconnect_form{dbuser}); $dbh->disconnect; diff --git a/locale/de/all b/locale/de/all index cb5305029..2495b5f7f 100755 --- a/locale/de/all +++ b/locale/de/all @@ -847,11 +847,13 @@ $self->{texts} = { 'Database Host' => 'Datenbankcomputer', 'Database ID' => 'Datenbank-ID', 'Database Management' => 'Datenbankadministration', + 'Database Superuser' => 'Datenbank-Super-Benutzer', 'Database User' => 'Datenbankbenutzer', 'Database host and port' => 'Datenbankhost und -port', 'Database login (#1)' => 'Datenbankanmeldung (#1)', 'Database name' => 'Datenbankname', 'Database settings' => 'Datenbankeinstellungen', + 'Database superuser privileges are required for parts of the database modifications.' => 'Für einige Teile der Datenbankänderungen werden Datenbank-Super-Benutzer-Rechte benötigt.', 'Database superuser privileges are required for the update.' => 'Datenbank-Super-Benutzer-Rechte werden für das Update benötigt.', 'Database template' => 'Datenbankvorlage', 'Database update error:' => 'Fehler beim Datenbankupgrade:', @@ -1974,6 +1976,7 @@ $self->{texts} = { 'No start date given, setting to #1' => 'Kein Startdatum gegeben, setze Startdatum auf #1', 'No such job #1 in the database.' => 'Hintergrund-Job #1 existiert nicht mehr.', 'No summary account' => 'Kein Sammelkonto', + 'No superuser credentials were entered.' => 'Es wurden keine Super-Benutzer-Anmeldedaten eingegeben.', 'No template has been selected yet.' => 'Es wurde noch keine Vorlage ausgewählt.', 'No text blocks have been created for this position.' => 'Für diese Position wurden noch keine Textblöcke angelegt.', 'No text has been entered yet.' => 'Es wurde noch kein Text eingegeben.', diff --git a/templates/webpages/admin/create_dataset.html b/templates/webpages/admin/create_dataset.html index 7a879d8aa..48998c6a9 100644 --- a/templates/webpages/admin/create_dataset.html +++ b/templates/webpages/admin/create_dataset.html @@ -10,6 +10,13 @@ [% LxERP.t8('In the latter case the tables needed by kivitendo will be created in that database.') %]

+ [% IF !superuser.have_privileges %] +

+ [% LxERP.t8("Database superuser privileges are required for parts of the database modifications.") %] + [% LxERP.t8("Please provide corresponding credentials.") %] +

+ [% END %] + @@ -21,6 +28,18 @@ + [% IF !superuser.have_privileges %] + + + + + + + + + + [% END %] + -- 2.20.1
[% LxERP.t8('Existing Datasets') %][% L.input_tag('db', FORM.db, class="initial_focus") %]
[% LxERP.t8("Database Superuser") %][% L.input_tag("database_superuser_user", superuser.username) %]
[% LxERP.t8("Password") %][% L.input_tag("database_superuser_password", superuser.password, type="password") %]