getFooter()->setMinimal();
$header = $response->getHeader();
$header->setTitle(__('Access denied'));
$header->disableMenu();
$header->setBodyId('loginform');
$response->addHTML('');
$response->addHTML(sprintf(__('Welcome to %s'), ' phpMyAdmin'));
$response->addHTML('
');
$response->addHTML('');
$response->addHTML(
PMA_Message::error(
__('Wrong username/password. Access denied.')
)
);
$response->addHTML('
');
if (file_exists(CUSTOM_FOOTER_FILE)) {
include CUSTOM_FOOTER_FILE;
}
if (! defined('TESTSUITE')) {
exit;
} else {
return false;
}
}
/**
* Gets advanced authentication settings
*
* @global string $PHP_AUTH_USER the username if register_globals is on
* @global string $PHP_AUTH_PW the password if register_globals is on
* @global array the array of server variables if
* register_globals is off
* @global array the array of environment variables if
* register_globals is off
* @global string the username for the ? server
* @global string the password for the ? server
* @global string the username for the WebSite Professional
* server
* @global string the password for the WebSite Professional
* server
* @global string the username of the user who logs out
*
* @return boolean whether we get authentication settings or not
*/
public function authCheck()
{
global $PHP_AUTH_USER, $PHP_AUTH_PW;
// Grabs the $PHP_AUTH_USER variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
if (empty($PHP_AUTH_USER)) {
if (PMA_getenv('PHP_AUTH_USER')) {
$PHP_AUTH_USER = PMA_getenv('PHP_AUTH_USER');
} elseif (PMA_getenv('REMOTE_USER')) {
// CGI, might be encoded, see below
$PHP_AUTH_USER = PMA_getenv('REMOTE_USER');
} elseif (PMA_getenv('REDIRECT_REMOTE_USER')) {
// CGI, might be encoded, see below
$PHP_AUTH_USER = PMA_getenv('REDIRECT_REMOTE_USER');
} elseif (PMA_getenv('AUTH_USER')) {
// WebSite Professional
$PHP_AUTH_USER = PMA_getenv('AUTH_USER');
} elseif (PMA_getenv('HTTP_AUTHORIZATION')
&& false === strpos(PMA_getenv('HTTP_AUTHORIZATION'), '<')
) {
// IIS, might be encoded, see below; also prevent XSS
$PHP_AUTH_USER = PMA_getenv('HTTP_AUTHORIZATION');
} elseif (PMA_getenv('Authorization')) {
// FastCGI, might be encoded, see below
$PHP_AUTH_USER = PMA_getenv('Authorization');
}
}
// Grabs the $PHP_AUTH_PW variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
if (empty($PHP_AUTH_PW)) {
if (PMA_getenv('PHP_AUTH_PW')) {
$PHP_AUTH_PW = PMA_getenv('PHP_AUTH_PW');
} elseif (PMA_getenv('REMOTE_PASSWORD')) {
// Apache/CGI
$PHP_AUTH_PW = PMA_getenv('REMOTE_PASSWORD');
} elseif (PMA_getenv('AUTH_PASSWORD')) {
// WebSite Professional
$PHP_AUTH_PW = PMA_getenv('AUTH_PASSWORD');
}
}
// Decode possibly encoded information (used by IIS/CGI/FastCGI)
// (do not use explode() because a user might have a colon in his password
if (strcmp(substr($PHP_AUTH_USER, 0, 6), 'Basic ') == 0) {
$usr_pass = base64_decode(substr($PHP_AUTH_USER, 6));
if (! empty($usr_pass)) {
$colon = strpos($usr_pass, ':');
if ($colon) {
$PHP_AUTH_USER = substr($usr_pass, 0, $colon);
$PHP_AUTH_PW = substr($usr_pass, $colon + 1);
}
unset($colon);
}
unset($usr_pass);
}
// User logged out -> ensure the new username is not the same
$old_usr = isset($_REQUEST['old_usr']) ? $_REQUEST['old_usr'] : '';
if (! empty($old_usr)
&& (isset($PHP_AUTH_USER) && $old_usr == $PHP_AUTH_USER)
) {
$PHP_AUTH_USER = '';
// -> delete user's choices that were stored in session
if (! defined('TESTSUITE')) {
session_destroy();
}
}
// Returns whether we get authentication settings or not
if (empty($PHP_AUTH_USER)) {
return false;
} else {
return true;
}
}
/**
* Set the user and password after last checkings if required
*
* @global array $cfg the valid servers settings
* @global integer $server the id of the current server
* @global array the current server settings
* @global string $PHP_AUTH_USER the current username
* @global string $PHP_AUTH_PW the current password
*
* @return boolean always true
*/
public function authSetUser()
{
global $cfg, $server;
global $PHP_AUTH_USER, $PHP_AUTH_PW;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
$servers_cnt = count($cfg['Servers']);
for ($i = 1; $i <= $servers_cnt; $i++) {
if (isset($cfg['Servers'][$i])
&& ($cfg['Servers'][$i]['host'] == $cfg['Server']['host']
&& $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)
) {
$server = $i;
$cfg['Server'] = $cfg['Servers'][$i];
break;
}
} // end for
} // end if
$cfg['Server']['user'] = $PHP_AUTH_USER;
$cfg['Server']['password'] = $PHP_AUTH_PW;
// Avoid showing the password in phpinfo()'s output
unset($GLOBALS['PHP_AUTH_PW']);
unset($_SERVER['PHP_AUTH_PW']);
return true;
}
/**
* User is not allowed to login to MySQL -> authentication failed
*
* @return boolean always true (no return indeed)
*/
public function authFails()
{
$error = $GLOBALS['dbi']->getError();
if ($error && $GLOBALS['errno'] != 1045) {
PMA_fatalError($error);
} else {
$this->auth();
return true;
}
}
/**
* This method is called when any PluginManager to which the observer
* is attached calls PluginManager::notify()
*
* @param SplSubject $subject The PluginManager notifying the observer
* of an update.
*
* @return void
*/
public function update (SplSubject $subject)
{
}
}