From bfc771477f5a60509bf6318d6ee2a30e14412906 Mon Sep 17 00:00:00 2001 From: Marius Cramer <m.cramer@pixcept.de> Date: Thu, 14 Aug 2014 03:44:12 -0400 Subject: [PATCH] Fixes: FS#3364 - client_add does not check that reseller is actually reseller additionally fixes this for client_update --- interface/lib/classes/remoting.inc.php | 42 +++++++++++++++++++++++++++++++++++++----- 1 files changed, 37 insertions(+), 5 deletions(-) diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php index 3fe307d..0ccfd65 100644 --- a/interface/lib/classes/remoting.inc.php +++ b/interface/lib/classes/remoting.inc.php @@ -1415,13 +1415,30 @@ public function client_add($session_id, $reseller_id, $params) { + global $app; + if (!$this->checkPerm($session_id, 'client_add')) { $this->server->fault('permission_denied', 'You do not have the permissions to access this function.'); return false; } if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id; - $affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params); + + if($params['parent_client_id']) { + // check if this one is reseller + $check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id)); + if($check['limit_client'] == 0) { + $this->server->fault('Invalid reseller', 'Selected client is not a reseller.'); + return false; + } + + if(isset($params['limit_client']) && $params['limit_client'] != 0) { + $this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.'); + return false; + } + } + + $affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params); return $affected_rows; } @@ -1437,8 +1454,24 @@ } $app->uses('remoting_lib'); - $app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php'); + $app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php'); $old_rec = $app->remoting_lib->getDataRecord($client_id); + + if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id; + + if($params['parent_client_id']) { + // check if this one is reseller + $check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id)); + if($check['limit_client'] == 0) { + $this->server->fault('Invalid reseller', 'Selected client is not a reseller.'); + return false; + } + + if(isset($params['limit_client']) && $params['limit_client'] != 0) { + $this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.'); + return false; + } + } // we need the previuos templates assigned here $this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ' . $client_id); @@ -1462,8 +1495,7 @@ } - if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id; - $affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($reseller_id ? 'reseller' : 'client') . ':on_after_update'); + $affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($params['parent_client_id'] ? 'reseller' : 'client') . ':on_after_update'); $app->remoting_lib->ispconfig_sysuser_update($params, $client_id); @@ -3195,7 +3227,7 @@ $this->id = $insert_id; $this->dataRecord = $params; - $app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . ':on_after_insert', $this); + $app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . ':on_after_insert', $this); /* if($app->db->errorMessage != '') { -- Gitblit v1.9.1