From 9968851f1ee54eb863a33bf3ba19e8dc832aa730 Mon Sep 17 00:00:00 2001
From: Peter Knut <peter@pematon.com>
Date: Mon, 5 Apr 2021 00:08:42 +0200
Subject: [PATCH 1/2] Add support for "where" field privilege

In Elasticsearch, only indexed fields are searchable.
---
 adminer/drivers/elastic.inc.php   | 7 ++++++-
 adminer/drivers/mongo.inc.php     | 1 +
 adminer/drivers/mssql.inc.php     | 2 +-
 adminer/drivers/mysql.inc.php     | 2 +-
 adminer/drivers/oracle.inc.php    | 2 +-
 adminer/drivers/sqlite.inc.php    | 2 +-
 adminer/include/adminer.inc.php   | 3 ++-
 adminer/include/functions.inc.php | 2 +-
 adminer/select.inc.php            | 8 ++++++--
 plugins/drivers/clickhouse.php    | 2 +-
 plugins/drivers/firebird.php      | 2 +-
 11 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/adminer/drivers/elastic.inc.php b/adminer/drivers/elastic.inc.php
index c570c14e..cb94e4f3 100644
--- a/adminer/drivers/elastic.inc.php
+++ b/adminer/drivers/elastic.inc.php
@@ -380,7 +380,12 @@ if (isset($_GET["elastic"])) {
 					"field" => $name,
 					"full_type" => $field["type"],
 					"type" => $field["type"],
-					"privileges" => array("insert" => 1, "select" => 1, "update" => 1),
+					"privileges" => array(
+						"insert" => 1,
+						"select" => 1,
+						"update" => 1,
+						"where" => !isset($field["index"]) || $field["index"] ?: null,
+					),
 				);
 				if ($field["properties"]) { // only leaf fields can be edited
 					unset($return[$name]["privileges"]["insert"]);
diff --git a/adminer/drivers/mongo.inc.php b/adminer/drivers/mongo.inc.php
index 63649f04..71fa0a5f 100644
--- a/adminer/drivers/mongo.inc.php
+++ b/adminer/drivers/mongo.inc.php
@@ -463,6 +463,7 @@ if (isset($_GET["mongo"])) {
 									"insert" => 1,
 									"select" => 1,
 									"update" => 1,
+									"where" => 1,
 								),
 							);
 						}
diff --git a/adminer/drivers/mssql.inc.php b/adminer/drivers/mssql.inc.php
index c8ed37c9..212f8de3 100644
--- a/adminer/drivers/mssql.inc.php
+++ b/adminer/drivers/mssql.inc.php
@@ -387,7 +387,7 @@ WHERE o.schema_id = SCHEMA_ID(" . q(get_schema()) . ") AND o.type IN ('S', 'U',
 				"null" => $row["is_nullable"],
 				"auto_increment" => $row["is_identity"],
 				"collation" => $row["collation_name"],
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 1),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1),
 				"primary" => $row["is_identity"], //! or indexes.is_primary_key
 				"comment" => $comments[$row["name"]],
 			);
diff --git a/adminer/drivers/mysql.inc.php b/adminer/drivers/mysql.inc.php
index 1ba8d651..7f61d6ec 100644
--- a/adminer/drivers/mysql.inc.php
+++ b/adminer/drivers/mysql.inc.php
@@ -551,7 +551,7 @@ if (!defined("DRIVER")) {
 				"auto_increment" => ($row["Extra"] == "auto_increment"),
 				"on_update" => (preg_match('~^on update (.+)~i', $row["Extra"], $match) ? $match[1] : ""), //! available since MySQL 5.1.23
 				"collation" => $row["Collation"],
-				"privileges" => array_flip(preg_split('~, *~', $row["Privileges"])),
+				"privileges" => array_flip(preg_split('~, *~', $row["Privileges"])) + ["where" => 1],
 				"comment" => $row["Comment"],
 				"primary" => ($row["Key"] == "PRI"),
 				// https://mariadb.com/kb/en/library/show-columns/, https://github.com/vrana/adminer/pull/359#pullrequestreview-276677186
diff --git a/adminer/drivers/oracle.inc.php b/adminer/drivers/oracle.inc.php
index 1c5b1598..b05e5e43 100644
--- a/adminer/drivers/oracle.inc.php
+++ b/adminer/drivers/oracle.inc.php
@@ -297,7 +297,7 @@ ORDER BY 1"
 				"null" => ($row["NULLABLE"] == "Y"),
 				//! "auto_increment" => false,
 				//! "collation" => $row["CHARACTER_SET_NAME"],
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 1),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1),
 				//! "comment" => $row["Comment"],
 				//! "primary" => ($row["Key"] == "PRI"),
 			);
diff --git a/adminer/drivers/sqlite.inc.php b/adminer/drivers/sqlite.inc.php
index e85fd31c..fcfd56af 100644
--- a/adminer/drivers/sqlite.inc.php
+++ b/adminer/drivers/sqlite.inc.php
@@ -321,7 +321,7 @@ if (isset($_GET["sqlite"]) || isset($_GET["sqlite2"])) {
 				"full_type" => $type,
 				"default" => (preg_match("~'(.*)'~", $default, $match) ? str_replace("''", "'", $match[1]) : ($default == "NULL" ? null : $default)),
 				"null" => !$row["notnull"],
-				"privileges" => array("select" => 1, "insert" => 1, "update" => 1),
+				"privileges" => array("select" => 1, "insert" => 1, "update" => 1, "where" => 1),
 				"primary" => $row["pk"],
 			);
 			if ($row["pk"]) {
diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php
index 632e2928..b114b5b9 100644
--- a/adminer/include/adminer.inc.php
+++ b/adminer/include/adminer.inc.php
@@ -561,7 +561,8 @@ class Adminer {
 					// find anywhere
 					$cols = array();
 					foreach ($fields as $name => $field) {
-						if ((preg_match('~^[-\d.' . (preg_match('~IN$~', $val["op"]) ? ',' : '') . ']+$~', $val["val"]) || !preg_match('~' . number_type() . '|bit~', $field["type"]))
+						if (isset($field["privileges"]["where"])
+                            && (preg_match('~^[-\d.' . (preg_match('~IN$~', $val["op"]) ? ',' : '') . ']+$~', $val["val"]) || !preg_match('~' . number_type() . '|bit~', $field["type"]))
 							&& (!preg_match("~[\x80-\xFF]~", $val["val"]) || preg_match('~char|text|enum|set~', $field["type"]))
 							&& (!preg_match('~date|timestamp~', $field["type"]) || preg_match('~^\d+-\d+-\d+~', $val["val"]))
 						) {
diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
index 44b0a50a..749c709f 100644
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@@ -1077,7 +1077,7 @@ function fields_from_edit() {
 		$name = bracket_escape($key, 1); // 1 - back
 		$return[$name] = array(
 			"field" => $name,
-			"privileges" => array("insert" => 1, "update" => 1),
+			"privileges" => array("insert" => 1, "update" => 1, "where" => 1),
 			"null" => 1,
 			"auto_increment" => ($key == $driver->primary),
 		);
diff --git a/adminer/select.inc.php b/adminer/select.inc.php
index d213ae96..d977fce5 100644
--- a/adminer/select.inc.php
+++ b/adminer/select.inc.php
@@ -9,6 +9,7 @@ parse_str($_COOKIE["adminer_import"], $adminer_import);
 
 $rights = array(); // privilege => 0
 $columns = array(); // selectable columns
+$search_columns = array(); // searchable columns
 $text_length = null;
 foreach ($fields as $key => $field) {
 	$name = $adminer->fieldName($field);
@@ -18,6 +19,9 @@ foreach ($fields as $key => $field) {
 			$text_length = $adminer->selectLengthProcess();
 		}
 	}
+	if (isset($field["privileges"]["where"]) && $name != "") {
+		$search_columns[$key] = html_entity_decode(strip_tags($name), ENT_QUOTES);
+	}
 	$rights += $field["privileges"];
 }
 
@@ -245,7 +249,7 @@ if (!$columns && support("table")) {
 	echo '<input type="hidden" name="select" value="' . h($TABLE) . '">';
 	echo "</div>\n";
 	$adminer->selectColumnsPrint($select, $columns);
-	$adminer->selectSearchPrint($where, $columns, $indexes);
+	$adminer->selectSearchPrint($where, $search_columns, $indexes);
 	$adminer->selectOrderPrint($order, $columns, $indexes);
 	$adminer->selectLimitPrint($limit);
 	$adminer->selectLengthPrint($text_length);
@@ -336,7 +340,7 @@ if (!$columns && support("table")) {
 						echo apply_sql_function($val["fun"], $name) . "</a>"; //! columns looking like functions
 						echo "<span class='column hidden'>";
 						echo "<a href='" . h($href . $desc) . "' title='" . lang('descending') . "' class='text'> ↓</a>";
-						if (!$val["fun"]) {
+						if (!$val["fun"] && isset($field["privileges"]["where"])) {
 							echo '<a href="#fieldset-search" title="' . lang('Search') . '" class="text jsonly"> =</a>';
 							echo script("qsl('a').onclick = partial(selectSearch, '" . js_escape($key) . "');");
 						}
diff --git a/plugins/drivers/clickhouse.php b/plugins/drivers/clickhouse.php
index ff9eb688..2b513197 100644
--- a/plugins/drivers/clickhouse.php
+++ b/plugins/drivers/clickhouse.php
@@ -344,7 +344,7 @@ if (isset($_GET["clickhouse"])) {
 				"default" => trim($row['default_expression']),
 				"null" => $nullable,
 				"auto_increment" => '0',
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 0),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 0, "where" => 1),
 			);
 		}
 
diff --git a/plugins/drivers/firebird.php b/plugins/drivers/firebird.php
index fc46f3a7..04b9729c 100644
--- a/plugins/drivers/firebird.php
+++ b/plugins/drivers/firebird.php
@@ -250,7 +250,7 @@ ORDER BY r.RDB$FIELD_POSITION';
 				"null" => (trim($row["FIELD_NOT_NULL_CONSTRAINT"]) == "YES"),
 				"auto_increment" => '0',
 				"collation" => trim($row["FIELD_COLLATION"]),
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 1),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1),
 				"comment" => trim($row["FIELD_DESCRIPTION"]),
 			);
 		}

From 9f8dadbb40c8e3a66b656887731383f8e559629d Mon Sep 17 00:00:00 2001
From: Peter Knut <peter@pematon.com>
Date: Mon, 5 Apr 2021 00:32:25 +0200
Subject: [PATCH 2/2] Add support for "order" field privilege

In Elasticsearch, text fields are not sortable.
---
 adminer/drivers/elastic.inc.php   |  1 +
 adminer/drivers/mongo.inc.php     |  1 +
 adminer/drivers/mssql.inc.php     |  2 +-
 adminer/drivers/mysql.inc.php     |  2 +-
 adminer/drivers/oracle.inc.php    |  2 +-
 adminer/drivers/sqlite.inc.php    |  2 +-
 adminer/include/functions.inc.php |  2 +-
 adminer/select.inc.php            | 20 ++++++++++++++++----
 plugins/drivers/clickhouse.php    |  2 +-
 plugins/drivers/firebird.php      |  2 +-
 10 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/adminer/drivers/elastic.inc.php b/adminer/drivers/elastic.inc.php
index cb94e4f3..a6b2de8a 100644
--- a/adminer/drivers/elastic.inc.php
+++ b/adminer/drivers/elastic.inc.php
@@ -385,6 +385,7 @@ if (isset($_GET["elastic"])) {
 						"select" => 1,
 						"update" => 1,
 						"where" => !isset($field["index"]) || $field["index"] ?: null,
+						"order" => $field["type"] != "text" ?: null
 					),
 				);
 				if ($field["properties"]) { // only leaf fields can be edited
diff --git a/adminer/drivers/mongo.inc.php b/adminer/drivers/mongo.inc.php
index 71fa0a5f..cdb9b49c 100644
--- a/adminer/drivers/mongo.inc.php
+++ b/adminer/drivers/mongo.inc.php
@@ -464,6 +464,7 @@ if (isset($_GET["mongo"])) {
 									"select" => 1,
 									"update" => 1,
 									"where" => 1,
+									"order" => 1,
 								),
 							);
 						}
diff --git a/adminer/drivers/mssql.inc.php b/adminer/drivers/mssql.inc.php
index 212f8de3..56793f30 100644
--- a/adminer/drivers/mssql.inc.php
+++ b/adminer/drivers/mssql.inc.php
@@ -387,7 +387,7 @@ WHERE o.schema_id = SCHEMA_ID(" . q(get_schema()) . ") AND o.type IN ('S', 'U',
 				"null" => $row["is_nullable"],
 				"auto_increment" => $row["is_identity"],
 				"collation" => $row["collation_name"],
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1, "order" => 1),
 				"primary" => $row["is_identity"], //! or indexes.is_primary_key
 				"comment" => $comments[$row["name"]],
 			);
diff --git a/adminer/drivers/mysql.inc.php b/adminer/drivers/mysql.inc.php
index 7f61d6ec..03971393 100644
--- a/adminer/drivers/mysql.inc.php
+++ b/adminer/drivers/mysql.inc.php
@@ -551,7 +551,7 @@ if (!defined("DRIVER")) {
 				"auto_increment" => ($row["Extra"] == "auto_increment"),
 				"on_update" => (preg_match('~^on update (.+)~i', $row["Extra"], $match) ? $match[1] : ""), //! available since MySQL 5.1.23
 				"collation" => $row["Collation"],
-				"privileges" => array_flip(preg_split('~, *~', $row["Privileges"])) + ["where" => 1],
+				"privileges" => array_flip(preg_split('~, *~', $row["Privileges"])) + ["where" => 1, "order" => 1],
 				"comment" => $row["Comment"],
 				"primary" => ($row["Key"] == "PRI"),
 				// https://mariadb.com/kb/en/library/show-columns/, https://github.com/vrana/adminer/pull/359#pullrequestreview-276677186
diff --git a/adminer/drivers/oracle.inc.php b/adminer/drivers/oracle.inc.php
index b05e5e43..1d920369 100644
--- a/adminer/drivers/oracle.inc.php
+++ b/adminer/drivers/oracle.inc.php
@@ -297,7 +297,7 @@ ORDER BY 1"
 				"null" => ($row["NULLABLE"] == "Y"),
 				//! "auto_increment" => false,
 				//! "collation" => $row["CHARACTER_SET_NAME"],
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1, "order" => 1),
 				//! "comment" => $row["Comment"],
 				//! "primary" => ($row["Key"] == "PRI"),
 			);
diff --git a/adminer/drivers/sqlite.inc.php b/adminer/drivers/sqlite.inc.php
index fcfd56af..f0127e4b 100644
--- a/adminer/drivers/sqlite.inc.php
+++ b/adminer/drivers/sqlite.inc.php
@@ -321,7 +321,7 @@ if (isset($_GET["sqlite"]) || isset($_GET["sqlite2"])) {
 				"full_type" => $type,
 				"default" => (preg_match("~'(.*)'~", $default, $match) ? str_replace("''", "'", $match[1]) : ($default == "NULL" ? null : $default)),
 				"null" => !$row["notnull"],
-				"privileges" => array("select" => 1, "insert" => 1, "update" => 1, "where" => 1),
+				"privileges" => array("select" => 1, "insert" => 1, "update" => 1, "where" => 1, "order" => 1),
 				"primary" => $row["pk"],
 			);
 			if ($row["pk"]) {
diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
index 749c709f..50965e6b 100644
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@@ -1077,7 +1077,7 @@ function fields_from_edit() {
 		$name = bracket_escape($key, 1); // 1 - back
 		$return[$name] = array(
 			"field" => $name,
-			"privileges" => array("insert" => 1, "update" => 1, "where" => 1),
+			"privileges" => array("insert" => 1, "update" => 1, "where" => 1, "order" => 1),
 			"null" => 1,
 			"auto_increment" => ($key == $driver->primary),
 		);
diff --git a/adminer/select.inc.php b/adminer/select.inc.php
index d977fce5..a556b3e4 100644
--- a/adminer/select.inc.php
+++ b/adminer/select.inc.php
@@ -10,6 +10,7 @@ parse_str($_COOKIE["adminer_import"], $adminer_import);
 $rights = array(); // privilege => 0
 $columns = array(); // selectable columns
 $search_columns = array(); // searchable columns
+$order_columns = array(); // searchable columns
 $text_length = null;
 foreach ($fields as $key => $field) {
 	$name = $adminer->fieldName($field);
@@ -22,6 +23,9 @@ foreach ($fields as $key => $field) {
 	if (isset($field["privileges"]["where"]) && $name != "") {
 		$search_columns[$key] = html_entity_decode(strip_tags($name), ENT_QUOTES);
 	}
+	if (isset($field["privileges"]["order"]) && $name != "") {
+		$order_columns[$key] = html_entity_decode(strip_tags($name), ENT_QUOTES);
+	}
 	$rights += $field["privileges"];
 }
 
@@ -250,7 +254,7 @@ if (!$columns && support("table")) {
 	echo "</div>\n";
 	$adminer->selectColumnsPrint($select, $columns);
 	$adminer->selectSearchPrint($where, $search_columns, $indexes);
-	$adminer->selectOrderPrint($order, $columns, $indexes);
+	$adminer->selectOrderPrint($order, $order_columns, $indexes);
 	$adminer->selectLimitPrint($limit);
 	$adminer->selectLengthPrint($text_length);
 	$adminer->selectActionPrint($indexes);
@@ -335,11 +339,19 @@ if (!$columns && support("table")) {
 						$column = idf_escape($key);
 						$href = remove_from_uri('(order|desc)[^=]*|page') . '&order%5B0%5D=' . urlencode($key);
 						$desc = "&desc%5B0%5D=1";
+						$sortable = isset($field["privileges"]["order"]);
 						echo "<th id='th[" . h(bracket_escape($key)) . "]'>" . script("mixin(qsl('th'), {onmouseover: partial(columnMouse), onmouseout: partial(columnMouse, ' hidden')});", "");
-						echo '<a href="' . h($href . ($order[0] == $column || $order[0] == $key || (!$order && $is_group && $group[0] == $column) ? $desc : '')) . '">'; // $order[0] == $key - COUNT(*)
-						echo apply_sql_function($val["fun"], $name) . "</a>"; //! columns looking like functions
+						if ($sortable) {
+							echo '<a href="' . h($href . ($order[0] == $column || $order[0] == $key || (!$order && $is_group && $group[0] == $column) ? $desc : '')) . '">'; // $order[0] == $key - COUNT(*)
+						}
+						echo apply_sql_function($val["fun"], $name); //! columns looking like functions
+						if ($sortable) {
+							echo "</a>";
+						}
 						echo "<span class='column hidden'>";
-						echo "<a href='" . h($href . $desc) . "' title='" . lang('descending') . "' class='text'> ↓</a>";
+						if ($sortable) {
+							echo "<a href='" . h($href . $desc) . "' title='" . lang('descending') . "' class='text'> ↓</a>";
+						}
 						if (!$val["fun"] && isset($field["privileges"]["where"])) {
 							echo '<a href="#fieldset-search" title="' . lang('Search') . '" class="text jsonly"> =</a>';
 							echo script("qsl('a').onclick = partial(selectSearch, '" . js_escape($key) . "');");
diff --git a/plugins/drivers/clickhouse.php b/plugins/drivers/clickhouse.php
index 2b513197..251bf155 100644
--- a/plugins/drivers/clickhouse.php
+++ b/plugins/drivers/clickhouse.php
@@ -344,7 +344,7 @@ if (isset($_GET["clickhouse"])) {
 				"default" => trim($row['default_expression']),
 				"null" => $nullable,
 				"auto_increment" => '0',
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 0, "where" => 1),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 0, "where" => 1, "order" => 1),
 			);
 		}
 
diff --git a/plugins/drivers/firebird.php b/plugins/drivers/firebird.php
index 04b9729c..78513189 100644
--- a/plugins/drivers/firebird.php
+++ b/plugins/drivers/firebird.php
@@ -250,7 +250,7 @@ ORDER BY r.RDB$FIELD_POSITION';
 				"null" => (trim($row["FIELD_NOT_NULL_CONSTRAINT"]) == "YES"),
 				"auto_increment" => '0',
 				"collation" => trim($row["FIELD_COLLATION"]),
-				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1),
+				"privileges" => array("insert" => 1, "select" => 1, "update" => 1, "where" => 1, "order" => 1),
 				"comment" => trim($row["FIELD_DESCRIPTION"]),
 			);
 		}