Read only_db restriction from a dedicated session key
da_login.php now stores the ticket's restrict_db into DA_MYSQL_PHPMYADMIN_RESTRICT_DB, and config.inc.php's only_db builder reads that key instead of the landing-page db field, so an all-databases login (empty restrict_db) leaves phpMyAdmin unrestricted.
This commit is contained in:
@@ -353,8 +353,7 @@ function da_mysql_phpmyadmin_only_db(): string
|
||||
session_name($sessionName);
|
||||
session_id($sessionId);
|
||||
session_start();
|
||||
$auth = $_SESSION['DA_MYSQL_PHPMYADMIN_AUTH'] ?? [];
|
||||
$db = is_array($auth) ? (string)($auth['db'] ?? '') : '';
|
||||
$db = (string)($_SESSION['DA_MYSQL_PHPMYADMIN_RESTRICT_DB'] ?? '');
|
||||
session_write_close();
|
||||
|
||||
return $db;
|
||||
@@ -515,6 +514,7 @@ session_set_cookie_params([
|
||||
]);
|
||||
session_start();
|
||||
$_SESSION['DA_MYSQL_PHPMYADMIN_AUTH'] = $ticket['auth'];
|
||||
$_SESSION['DA_MYSQL_PHPMYADMIN_RESTRICT_DB'] = (string)($ticket['restrict_db'] ?? '');
|
||||
session_write_close();
|
||||
|
||||
header('Cache-Control: no-store, no-cache, must-revalidate');
|
||||
|
||||
Reference in New Issue
Block a user