Opened 13 years ago
Closed 13 years ago
#1169 closed Defect (fixed)
database upgrade may require alternate user
Reported by: | Eric Myers | Owned by: | davea |
---|---|---|---|
Priority: | Minor | Milestone: | Undetermined |
Component: | Server - Setup | Version: | 6.12.34 |
Keywords: | database upgrade | Cc: |
Description
The database upgrade step should ask for a database username and password instead of assuming it should use the values in config.xml.
It may be the case that the default project db user listed does not have proper permissions to make changes to the database (add or drop tables or fields in tables), but only has permissions to insert, alter or remove entries. One would set such limited permissions to mitigate damage in the case of an intrusion via sql injection or something similar. But then the database upgrade will fail.
A simple way to avoid this problem is to have the db_update.php script invoke db_init_cli() instead of BoincDb::get_aux(false). This is appropriate because the file is to be run via CLI anyway. Here is a suggested patch:
26,28c26,28 < if( $rc = db_init_cli() ){ < if( $rc == 1 ) echo "Cannot connect to database server.\n"; < if( $rc == 2 ) echo "Cannot select the database.\n"; --- > $db = BoincDb::get_aux(false); > if (!$db) { > echo "Can't open database\n";
This doesn't catch the fact that the default db user cannot alter the database -- that is a separate problem -- but it lets the admin use a different db user that does have the proper permissions.
(In [24969]) - upgrade script: