Database Maintenance Access Restricted

dcouot wrote on Friday, March 09, 2012:

Hi,
I can no longer access the Database module in Administration/Other/Database. I get the following message: You do not have access to this resource…
I am using the admin account, everything else is OK. Any ideas ?
Thanks

bradymiller wrote on Wednesday, March 14, 2012:

Hi,
Did you make any changes before this happened. Also, have you made any changes to the ACL settings?
-brady
OpenEMR Project

dcouot wrote on Thursday, March 15, 2012:

Hi Brady,
The only thing we did was update the language pack - with our ongoing Spanish translation. Should not have affected that part. ACLs are as per initial install. The only thing that comes to mind is that we have another version of phpmyadmin running on the same server for our other database maintenance activities.
Dominique

keithlofstrom wrote on Wednesday, October 31, 2012:

I am also getting the same message regards database access.  Sometimes I can connect, most times not.

I tried frobbing on the code.  I modified the text of the “You do not have access to this resource” message in openemr4.1.1/phpmyadmin/config.inc.php .  That did not change what got printed out.  So this behavior is cached somewhere that isn’t obvious to a grep string search.  I don’t want to learn to be a php expert, I would just like to import and export some data.

The problem showed up with our 4.1.0 installation.  I upgraded to 4.1.1 just in case that helped - it did not.

It would be nice if the code would put a useful error message into a file - needed for both fixing and security maintenance.

yehster wrote on Wednesday, October 31, 2012:

PHPMyAdmin included in openEMR isn’t a particular good tool IMHO.  If you want to do any sophisticated SQL, I would suggest using the MySQL Workbench.
http://www.mysql.com/downloads/workbench/

keithlofstrom wrote on Wednesday, October 31, 2012:

Additional note:  Our server that runs openemr is headless - accessing openemr via “localhost” doesn’t work for us.  Does that affect things?

keithlofstrom wrote on Wednesday, October 31, 2012:

… MySQL Workbench …

I don’t want to do any sophisticated SQL at all.  If I did, I would not use web access, I would use the perl DBI from the command line.  I just want to import and export text/cvs data files, just like I was doing a few days ago before something went cockeyed.

tmccormi wrote on Wednesday, October 31, 2012:

Keith,
  Take a look at the /var/log/apache2/error.log (or it’s equivilent).    do a tail -f on that and watch it in one window when you try and access the phpmyadmin.   You will likely see an error message related to something missing or not accessible.

  I’ve seen this issue crop up before.

You can also install and run phpmyAdmin from outside OpenEMR (which I prefer) bypass the OpenEMR security and just use the mysql access security.   That is more what yehster was alluding to with MySQL workbench would allow imports from csv as well.

Tony
www.mi-squared.com / @tonymi2
oemr.org / @OEMR_org

keithlofstrom wrote on Wednesday, October 31, 2012:

Thanks, Tony.  

Openemr is throwing a heck of a lot of timezone errors into the logfile - perhaps there is some config parameter I missed - so I was having trouble finding an error in the log.

Another thing that was driving me nuts was the PHP caching - I was tweaking on openemr4.1.1/phpmyadmin/config.inc.php and seeing no effect.  Is there any way to tell PHP to dump its bytecode cache?

In any case, I took the exit out of  the if (! acl_check(‘admin’, ‘database’)) clause in the config.inc.php file, for now, and the cache eventually cleared itself of the old code, and the code let me into phymyadmin.  We are running behind a firewall, with no outside access, and nobody in the clinic will fool with admin/database who shouldn’t, so this is marginally safe.  I need a better long term solution, but this will do.

I prefer to run Openemr out of the box, as is, because its value lies in sharing solutions between users.  If something doesn’t work, fix it or take it out.  If the preferred method is to use another tool rather than a builtin, take out the builtin and document the other tool. 

I am working with a very ambitious medical informatics intern who wants to use Openemr to change the world.  She is more geeky than 95% of her colleagues, but she is not a coder and won’t put up with workarounds and kludges when there are cleaner ways to do things.  I hope Openemr can evolve to support world changers like her.

bradymiller wrote on Wednesday, October 31, 2012:

Hi,
Seems like a very annoying bug. If you then add back the acl_check does it then work? If not, does changing the acl_check control work: for example acl_check(‘admin’,‘super’)?
-brady
OpenEMR

bradymiller wrote on Wednesday, October 31, 2012:

Additionally,
What are the timezone errors? In more recent php versions (5.3 and later), need to set it in the php config file:
http://chrisjean.com/2011/06/24/php-5-3-and-system-timezone-settings/

blankev wrote on Wednesday, October 31, 2012:

A hugh YES for the suggestion of   ** keithlofstrom**  hope the She “95%” will be enough to get more out of OpenEMR. Still much to be done to make OpenEMR nicer…. this community is in need of OUT OF THE BOX THINKING! …. and in the box corrections/additions.

Although possible read as a minor contribute, your contribution is very important for this project!

Tnx, Pimm

keithlofstrom wrote on Wednesday, October 31, 2012:

Thanks for the suggestion about /etc/php.ini, I added  date.timezone = ‘America/Los_Angeles’  to that file (around line 960) and the timezone errors in /var/log/httpd/error_log stopped.

When I restored the “exit” line to …openemr/phpmyadmin/config.inc.php the failure (and error message) returned. It was also there when I tried ‘admin’,‘super’ instead of ‘admin’,‘database’ in the acl_check().  No errors show up in /var/log/httpd/error_log .  Not surprising, this normally requires explicit logging messages in the code.

If I knew more about php, I would add some logging to that if() clause.  If someone is attempting database access and fails, the sysadmin should know about it, either to help them do it right, or close a security hole.

I could experiment faster if I could flush whatever caching php uses.  The previous version of the config.inc.php file seems to stay in effect for an hour or more after making a change - sometimes.  Right now, it responds immediately.  Strange.

Useful tip: I can access phpmyadmin with the full screen if I use the url http://openemr/phpmyadmin/index.php .  I’ve got dns and apache set up so that “emr” “oemr” and “openemr” all connect to the openemr inside the clinic and from the vpn connections (not routable from outside, of course). 

BTW, I am making notes on the (moinmoin) wiki at drchar.com  .  Some public, mostly a few dozen acl/private pages under development now, mostly related to workflow from a Medical Informatics viewpoint.  When the pages are correct and all the privacy and security related stuff is cleaned up, we will make those pages public, too.  

Someday, perhaps, a book to help the other doctors out there.  If it sits still, read it, if it moves, take its temperature.

lourui wrote on Tuesday, May 21, 2013:

Work Around
Hi all, I have been struggling with this same issue. I can log in to phpmyadmin as admin but when I log off and log on as a regular user I get the error message. When I then log out and log back in as admin, it then gives me the same error. I have just discovered that if I clear the browser history, I can then log in as admin normally into phpmyadmin. It appears to me that when we click log off, it does not delete the cookie created at log on. This work around is currently working for me. I hope this helps others and hopefully a fix is created to delete the cookie at log off.
-Louis-