other
/
pma


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318
							<?php

declare(strict_types=1);

namespace PhpMyAdmin;

use PhpMyAdmin\Config\ConfigFile;
use PhpMyAdmin\Config\Forms\User\UserFormList;
use PhpMyAdmin\ConfigStorage\Relation;
use PhpMyAdmin\Dbal\DatabaseName;

use function __;
use function array_flip;
use function array_merge;
use function basename;
use function htmlspecialchars;
use function http_build_query;
use function is_array;
use function is_int;
use function is_numeric;
use function is_string;
use function json_decode;
use function json_encode;
use function str_contains;
use function time;
use function urlencode;

/**
 * Functions for displaying user preferences pages
 */
class UserPreferences
{
    /** @var Relation */
    private $relation;

    /** @var Template */
    public $template;

    public function __construct()
    {
        global $dbi;

        $this->relation = new Relation($dbi);
        $this->template = new Template();
    }

    /**
     * Common initialization for user preferences modification pages
     *
     * @param ConfigFile $cf Config file instance
     */
    public function pageInit(ConfigFile $cf): void
    {
        $forms_all_keys = UserFormList::getFields();
        $cf->resetConfigData(); // start with a clean instance
        $cf->setAllowedKeys($forms_all_keys);
        $cf->setCfgUpdateReadMapping(
            [
                'Server/hide_db' => 'Servers/1/hide_db',
                'Server/only_db' => 'Servers/1/only_db',
            ]
        );
        $cf->updateWithGlobalConfig($GLOBALS['cfg']);
    }

    /**
     * Loads user preferences
     *
     * Returns an array:
     * * config_data - path => value pairs
     * * mtime - last modification time
     * * type - 'db' (config read from pmadb) or 'session' (read from user session)
     *
     * @psalm-return array{config_data: mixed[], mtime: int, type: 'session'|'db'}
     */
    public function load(): array
    {
        global $dbi;

        $relationParameters = $this->relation->getRelationParameters();
        if ($relationParameters->userPreferencesFeature === null) {
            // no pmadb table, use session storage
            if (! isset($_SESSION['userconfig']) || ! is_array($_SESSION['userconfig'])) {
                $_SESSION['userconfig'] = ['db' => [], 'ts' => time()];
            }

            $configData = $_SESSION['userconfig']['db'] ?? null;
            $timestamp = $_SESSION['userconfig']['ts'] ?? null;

            return [
                'config_data' => is_array($configData) ? $configData : [],
                'mtime' => is_int($timestamp) ? $timestamp : time(),
                'type' => 'session',
            ];
        }

        // load configuration from pmadb
        $query_table = Util::backquote($relationParameters->userPreferencesFeature->database) . '.'
            . Util::backquote($relationParameters->userPreferencesFeature->userConfig);
        $query = 'SELECT `config_data`, UNIX_TIMESTAMP(`timevalue`) ts'
            . ' FROM ' . $query_table
            . ' WHERE `username` = \''
            . $dbi->escapeString((string) $relationParameters->user)
            . '\'';
        $row = $dbi->fetchSingleRow($query, DatabaseInterface::FETCH_ASSOC, DatabaseInterface::CONNECT_CONTROL);
        if (! is_array($row) || ! isset($row['config_data']) || ! isset($row['ts'])) {
            return ['config_data' => [], 'mtime' => time(), 'type' => 'db'];
        }

        $configData = is_string($row['config_data']) ? json_decode($row['config_data'], true) : [];

        return [
            'config_data' => is_array($configData) ? $configData : [],
            'mtime' => is_numeric($row['ts']) ? (int) $row['ts'] : time(),
            'type' => 'db',
        ];
    }

    /**
     * Saves user preferences
     *
     * @param array $config_array configuration array
     *
     * @return true|Message
     */
    public function save(array $config_array)
    {
        global $dbi;

        $relationParameters = $this->relation->getRelationParameters();
        $server = $GLOBALS['server'] ?? $GLOBALS['cfg']['ServerDefault'];
        $cache_key = 'server_' . $server;
        if (
            $relationParameters->userPreferencesFeature === null
            || $relationParameters->user === null
            || $relationParameters->db === null
        ) {
            // no pmadb table, use session storage
            $_SESSION['userconfig'] = [
                'db' => $config_array,
                'ts' => time(),
            ];
            if (isset($_SESSION['cache'][$cache_key]['userprefs'])) {
                unset($_SESSION['cache'][$cache_key]['userprefs']);
            }

            return true;
        }

        // save configuration to pmadb
        $query_table = Util::backquote($relationParameters->userPreferencesFeature->database) . '.'
            . Util::backquote($relationParameters->userPreferencesFeature->userConfig);
        $query = 'SELECT `username` FROM ' . $query_table
            . ' WHERE `username` = \''
            . $dbi->escapeString($relationParameters->user)
            . '\'';

        $has_config = $dbi->fetchValue($query, 0, DatabaseInterface::CONNECT_CONTROL);
        $config_data = json_encode($config_array);
        if ($has_config) {
            $query = 'UPDATE ' . $query_table
                . ' SET `timevalue` = NOW(), `config_data` = \''
                . $dbi->escapeString($config_data)
                . '\''
                . ' WHERE `username` = \''
                . $dbi->escapeString($relationParameters->user)
                . '\'';
        } else {
            $query = 'INSERT INTO ' . $query_table
                . ' (`username`, `timevalue`,`config_data`) '
                . 'VALUES (\''
                . $dbi->escapeString($relationParameters->user) . '\', NOW(), '
                . '\'' . $dbi->escapeString($config_data) . '\')';
        }

        if (isset($_SESSION['cache'][$cache_key]['userprefs'])) {
            unset($_SESSION['cache'][$cache_key]['userprefs']);
        }

        if (! $dbi->tryQuery($query, DatabaseInterface::CONNECT_CONTROL)) {
            $message = Message::error(__('Could not save configuration'));
            $message->addMessage(Message::error($dbi->getError(DatabaseInterface::CONNECT_CONTROL)), '<br><br>');
            if (! $this->hasAccessToDatabase($relationParameters->db)) {
                /**
                 * When phpMyAdmin cached the configuration storage parameters, it checked if the database can be
                 * accessed, so if it could not be accessed anymore, then the cache must be cleared as it's out of date.
                 *
                 * @psalm-suppress MixedArrayAssignment
                 */
                $_SESSION['relation'][$GLOBALS['server']] = [];
                $message->addMessage(Message::error(htmlspecialchars(
                    __('The phpMyAdmin configuration storage database could not be accessed.')
                )), '<br><br>');
            }

            return $message;
        }

        return true;
    }

    private function hasAccessToDatabase(DatabaseName $database): bool
    {
        $escapedDb = $GLOBALS['dbi']->escapeString($database->getName());
        $query = 'SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = \'' . $escapedDb . '\';';
        if ($GLOBALS['cfg']['Server']['DisableIS']) {
            $query = 'SHOW DATABASES LIKE \'' . Util::escapeMysqlWildcards($escapedDb) . '\';';
        }

        return (bool) $GLOBALS['dbi']->fetchSingleRow($query, 'ASSOC', DatabaseInterface::CONNECT_CONTROL);
    }

    /**
     * Returns a user preferences array filtered by $cfg['UserprefsDisallow']
     * (exclude list) and keys from user preferences form (allow list)
     *
     * @param array $config_data path => value pairs
     *
     * @return array
     */
    public function apply(array $config_data)
    {
        $cfg = [];
        $excludeList = array_flip($GLOBALS['cfg']['UserprefsDisallow']);
        $allowList = array_flip(UserFormList::getFields());
        // allow some additional fields which are custom handled
        $allowList['ThemeDefault'] = true;
        $allowList['lang'] = true;
        $allowList['Server/hide_db'] = true;
        $allowList['Server/only_db'] = true;
        $allowList['2fa'] = true;
        foreach ($config_data as $path => $value) {
            if (! isset($allowList[$path]) || isset($excludeList[$path])) {
                continue;
            }

            Core::arrayWrite($path, $cfg, $value);
        }

        return $cfg;
    }

    /**
     * Updates one user preferences option (loads and saves to database).
     *
     * No validation is done!
     *
     * @param string $path          configuration
     * @param mixed  $value         value
     * @param mixed  $default_value default value
     *
     * @return true|Message
     */
    public function persistOption($path, $value, $default_value)
    {
        $prefs = $this->load();
        if ($value === $default_value) {
            if (! isset($prefs['config_data'][$path])) {
                return true;
            }

            unset($prefs['config_data'][$path]);
        } else {
            $prefs['config_data'][$path] = $value;
        }

        return $this->save($prefs['config_data']);
    }

    /**
     * Redirects after saving new user preferences
     *
     * @param string     $file_name Filename
     * @param array|null $params    URL parameters
     * @param string     $hash      Hash value
     */
    public function redirect(
        $file_name,
        $params = null,
        $hash = null
    ): void {
        // redirect
        $url_params = ['saved' => 1];
        if (is_array($params)) {
            $url_params = array_merge($params, $url_params);
        }

        if ($hash) {
            $hash = '#' . urlencode($hash);
        }

        Core::sendHeaderLocation('./' . $file_name
            . Url::getCommonRaw($url_params, ! str_contains($file_name, '?') ? '?' : '&') . $hash);
    }

    /**
     * Shows form which allows to quickly load
     * settings stored in browser's local storage
     *
     * @return string
     */
    public function autoloadGetHeader()
    {
        if (isset($_REQUEST['prefs_autoload']) && $_REQUEST['prefs_autoload'] === 'hide') {
            $_SESSION['userprefs_autoload'] = true;

            return '';
        }

        $script_name = basename(basename($GLOBALS['PMA_PHP_SELF']));
        $return_url = $script_name . '?' . http_build_query($_GET, '', '&');

        return $this->template->render('preferences/autoload', [
            'hidden_inputs' => Url::getHiddenInputs(),
            'return_url' => $return_url,
        ]);
    }
}