Menu
▾
▴
#2437 (ok 2.10.2) CREATE database privilege not always detected
In some circumstances, phpMyAdmin incorrectly determines that the logged in user does not have privileges to create databases.
Steps to reproduce:
1. Create a new user ('example') with no privileges
2. Log in as this user and verify that Create Table shows a "No Privileges" warning.
3. Grant the user permission to create tables:
GRANT CREATE ON *.* to 'example'@'%';
4. In the browser, hit refresh. Verify that the "No Privileges" warning no longer appears.
5. Now grant the user permission to drop tables:
GRANT DROP ON *.* to 'example'@'%';
6. In the browser, hit refresh.
What happens?
After adding the DROP privilege, suddenly the "No Privileges" warning shows up under Create Database again.
Logged In: YES
user_id=704590
Originator: YES
The bug appears to be in check_user_privileges.lib.php, ln 31. "|| strpos($show_grants_str, 'CREATE')" should be "|| strpos($show_grants_str, 'CREATE') !== FALSE".
Compare the results of SHOW GRANTS:
1. "GRANT CREATE ON *.* TO 'example'@'%' IDENTIFIED BY PASSWORD '...'"
- works because ln 31 checks "($show_grants_str == 'CREATE')".
2. "GRANT CREATE, DROP ON *.* TO 'example'@'%' IDENTIFIED BY PASSWORD '...'"
- fails because "strpos($show_grants_str, 'CREATE')" returns 0, which gets evaluated as FALSE.
Logged In: YES
user_id=210714
Originator: NO
Excellent analysis, thanks. I merged your fix with a minor change
|| strpos($show_grants_str, 'CREATE,') !== false
and added a todo because there are some other cases that would be falsely detected as CREATE.