Changed the way read-only works for custom code

Author: JhumanJ

README.md

@@ -47,7 +47,7 @@ The aggregation types currently available:
 
 For each widget type, date can be any column: `created_at`,`updated_at`,`custom_date`.
 
-## Custom Code Widgetn
+## Custom Code Widgets
 
 You can also use custom code widgets, allowing you to define your widget data with
 code, just like you would do with tinker.
@@ -63,10 +63,51 @@ $result = [
 ];
 ```
 
-Note that for safety reasons, your code won't be allowed to perform any write operations on the database.
-You can only use the code to query data and transform it in-memory.
-Even if disabling write operations makes things sage, **remote code execution is always a 
-very risky operation**. Be sure that your dashboard authorization is properly configured. You may want to disable custom code widgets by setting the `MODEL_STATS_CUSTOM_CODE` env variable to `false`. 
+### Custom Code Setup
+🚨 Using the custom code feature against a production database is a HUGE risk 🚨
+
+Any malicious user with access to the dashboard,
+or any mistake can cause harm to your database. Do not do that. Here's a safe way to use this feature:
+- Create a `read-only` database user with access to your database
+  - Here's how to create a read-only user for a PostgreSQL database: [PostgreSQL guide](https://tableplus.com/blog/2018/04/postgresql-how-to-create-read-only-user.html)
+  - Here's how to create a read-only user for a MySQL database: [MySQL guide](https://ubiq.co/database-blog/create-read-only-mysql-user/)
+- Add a readonly database connection to your `config/database.php` file
+  ```php
+  // in database.php
+  
+  'connections' => [
+  
+    // ... your other connections
+  
+     'readonly' => [
+            'driver' => 'pgsql',  // Copy the settings for the driver you use, but change the user
+            'url' => env('DATABASE_URL'),
+            'host' => env('DB_HOST', '127.0.0.1'),
+            'port' => env('DB_PORT', '5432'),
+            'database' => env('DB_DATABASE', 'forge'),
+            'username' => env('DB_USERNAME_READONLY', 'forge'), // User is changed here
+            'password' => env('DB_PASSWORD_READONLY', ''),
+            'charset' => 'utf8',
+            'prefix' => '',
+            'prefix_indexes' => true,
+            'schema' => 'public',
+            'sslmode' => 'prefer',
+        ],
+  ]
+- In your .env set the following:
+  ```dotenv
+    MODEL_STATS_CUSTOM_CODE=true
+    MODEL_STATS_DB_CONNECTION=readonly
+    DB_USERNAME_READONLY=<username>
+    DB_PASSWORD_READONLY=<password>
+    ```
+Thanks to this, the package will use the readonly connection when executing your code. 
+Note that this a protection against mistakes, but not against malicious users. One can override this 
+connection in the custom code, so there are still some risks associate with using this feature in production.
+Be sure that your dashboard authorization is properly configured.
+
+### Disabling Custom Code
+You may want to disable custom code widgets by setting the `MODEL_STATS_CUSTOM_CODE` env variable to `false`.
 
 ## Dashboard Authorization
 

config/model-stats.php

@@ -17,7 +17,7 @@
     */
 
     'enabled'            => env('MODEL_STATS_ENABLED', true),
-    'allow_custom_code'  => env('MODEL_STATS_CUSTOM_CODE', true),
+    'allow_custom_code'  => env('MODEL_STATS_CUSTOM_CODE', false),
 
     /*
     |--------------------------------------------------------------------------
@@ -45,6 +45,17 @@
     */
     'table_name'         => 'model_stats_dashboards',
 
+    /*
+    |--------------------------------------------------------------------------
+    | Database connection
+    |--------------------------------------------------------------------------
+    |
+    | Database connection used to query the data.
+    | This can be used to ensure a read-only connection, by using a custom connection with a read-only user.
+    |
+    */
+    'query_database_connection'         => env('MODEL_STATS_DB_CONNECTION', env('DB_CONNECTION')),
+
     /*
     |--------------------------------------------------------------------------
     | Route Prefixes

public/app.css

@@ -1,4 +1,4 @@
 {
-    "/app.js": "/app.js?id=2df710ffbd669b1cd776",
-    "/app.css": "/app.css?id=9672ba5832bd94459e59"
+    "/app.js": "/app.js?id=aa616d87ff4d6e21e031",
+    "/app.css": "/app.css?id=9a7dcabdfd190adb0576"
 }

public/app.js

@@ -33,7 +33,7 @@ export default {
     },
 
     data: () => ({
-        frontEndVersion: 6,
+        frontEndVersion: 7,
         alert: {
             type: null,
             autoClose: 0,
@@ -49,7 +49,7 @@ export default {
 
         // Check front-end version
         if (window.ModelStats.config.frontEndVersion > this.frontEndVersion) {
-            this.alertError('You ModelStats front-end files are not up to date. Please run ` php artisan model-stats:publish` on your server.')
+            this.alertError('You ModelStats front-end files are not up to date. Please run `php artisan model-stats:publish` on your server.')
         }
     },
 

public/mix-manifest.json

@@ -4,7 +4,8 @@
             <p class="mt-2 mb-0">{{ message }}</p>
         </div>
 
-        <div class="flex justify-end">
+        <div class="flex items-end ml-4">
+            <div>
             <v-button v-if="type == 'error'" color="red" shade="light" @click="close">
                 CLOSE
             </v-button>
@@ -17,6 +18,7 @@
             <v-button v-if="type == 'confirmation'" color="gray" shade="light" @click="cancel">
                 NO, CANCEL
             </v-button>
+            </div>
 
         </div>
 

resources/js/components/App.vue

@@ -36,7 +36,7 @@
                     Custom Code
                 </p>
                 <div class="w-full" v-if="showCode">
-                    <pre class="mt-4 p-4 flex border bg-blue-100 w-full overflow-x-scroll" v-if="showCode">{{widget.code}}</pre>
+                    <pre class="mt-4 p-4 flex border bg-blue-100 w-full overflow-x-scroll select-all" v-if="showCode">{{widget.code}}</pre>
                 </div>
             </div>
         </div>
@@ -71,6 +71,7 @@ export default {
     methods: {
         loadData() {
             this.loading = true
+            console.log('ok')
             axios.post(this.apiPath + "widgets/custom-code/data", {
                 code: this.widget.code,
                 chart_type: this.widget.chart_type,
@@ -81,7 +82,8 @@ export default {
                 this.loading = false
             }).catch((error) => {
                 this.loading = false
-                this.alertError(error.response.data.message)
+                console.log(error.response.data)
+                this.alertError(error.response.data.message ?? error.response.data.output )
             })
         },
         deleteChart() {

resources/js/components/common/Alert.vue

@@ -29,7 +29,7 @@ public function executeCustomCode(Request $request, Tinker $tinker): JsonRespons
         ]);
 
         $result = $tinker->injectDates(now()->subMonth(), now())
-            ->readonly()
+            ->setConnection()
             ->execute($validated['code']);
         $codeExecuted = $tinker->lastExecSuccess();
 
@@ -54,7 +54,7 @@ public function widgetData(Request $request, Tinker $tinker)
         $dateTo = Carbon::createFromFormat('Y-m-d', $request->get('date_to'));
 
         $result = $tinker->injectDates($dateFrom, $dateTo)
-            ->readonly()
+            ->setConnection()
             ->execute($validated['code']);
 
         $codeExecuted = $tinker->lastExecSuccess();

resources/js/components/widgets/components/CustomCode.vue

@@ -14,7 +14,7 @@
 
 class HomeController extends Controller
 {
-    public const FRONT_END_VERSION = 6;
+    public const FRONT_END_VERSION = 7;
 
     public function home(): Factory|View|Application
     {

src/Http/Controllers/CustomCodeController.php

@@ -26,7 +26,6 @@
  */
 class Tinker
 {
-    public const FAKE_WRITE_HOST = 'database_write_not_allowed_with_model_stats';
 
     /** @var \Symfony\Component\Console\Output\BufferedOutput */
     protected BufferedOutput $output;
@@ -58,7 +57,7 @@ public function execute(string $phpCode): string
             $lastException = $resultVars['_e'];
             if (($lastException instanceof QueryException)
                 && Str::of($lastException->getMessage())
-                      ->contains(self::FAKE_WRITE_HOST)) {
+                      ->contains("SQLSTATE[42501]: Insufficient privilege")) {
                 return "For safety reasons, you can only query data with ModelStats. Write operations are forbidden.";
             }
         }
@@ -105,20 +104,9 @@ public function lastExecSuccess(): bool
     /**
      * Prevents unwanted database modifications by enabling creating and using a readonly connection.
      */
-    public function readonly(): static
+    public function setConnection(): static
     {
-        $defaultConnection = config('database.default');
-        $databaseConnection = Config::get('database.connections.'.$defaultConnection);
-        $host = $databaseConnection['host'];
-        unset($databaseConnection['host']);
-        $databaseConnection['read'] = [
-            'host' => $host,
-        ];
-        $databaseConnection['write'] = [
-            'host' => self::FAKE_WRITE_HOST,
-        ];
-        Config::set('database.connections.readonly', $databaseConnection);
-        DB::setDefaultConnection('readonly');
+        DB::setDefaultConnection(config('model-stats.query_database_connection'));
 
         return $this;
     }
@@ -140,7 +128,6 @@ protected function createShell(BufferedOutput $output): Shell
     {
         $config = new Configuration([
             'updateCheck' => 'never',
-            'configFile' => config('web-tinker.config_file') !== null ? base_path().'/'.config('web-tinker.config_file') : null,
         ]);
 
         $config->setHistoryFile(defined('PHP_WINDOWS_VERSION_BUILD') ? 'null' : '/dev/null');