From bfc771477f5a60509bf6318d6ee2a30e14412906 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 14 Aug 2014 03:44:12 -0400
Subject: [PATCH] Fixes: FS#3364 - client_add does not check that reseller is actually reseller additionally fixes this for client_update

---
 interface/lib/classes/remoting.inc.php |   42 +++++++++++++++++++++++++++++++++++++-----
 1 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php
index 3fe307d..0ccfd65 100644
--- a/interface/lib/classes/remoting.inc.php
+++ b/interface/lib/classes/remoting.inc.php
@@ -1415,13 +1415,30 @@
 
 	public function client_add($session_id, $reseller_id, $params)
 	{
+		global $app;
+		
 		if (!$this->checkPerm($session_id, 'client_add'))
 		{
 			$this->server->fault('permission_denied', 'You do not have the permissions to access this function.');
 			return false;
 		}
 		if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
-		$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
+		
+		if($params['parent_client_id']) {
+			// check if this one is reseller
+			$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
+			if($check['limit_client'] == 0) {
+				$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
+				return false;
+			}
+			
+			if(isset($params['limit_client']) && $params['limit_client'] != 0) {
+				$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
+				return false;
+			}
+		}
+		
+		$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
 		return $affected_rows;
 
 	}
@@ -1437,8 +1454,24 @@
 		}
 
 		$app->uses('remoting_lib');
-		$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php');
+		$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php');
 		$old_rec = $app->remoting_lib->getDataRecord($client_id);
+
+		if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
+
+		if($params['parent_client_id']) {
+			// check if this one is reseller
+			$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
+			if($check['limit_client'] == 0) {
+				$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
+				return false;
+			}
+			
+			if(isset($params['limit_client']) && $params['limit_client'] != 0) {
+				$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
+				return false;
+			}
+		}
 
 		// we need the previuos templates assigned here
 		$this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ' . $client_id);
@@ -1462,8 +1495,7 @@
 		}
 
 
-		if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
-		$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($reseller_id ? 'reseller' : 'client') . ':on_after_update');
+		$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($params['parent_client_id'] ? 'reseller' : 'client') . ':on_after_update');
 
 		$app->remoting_lib->ispconfig_sysuser_update($params, $client_id);
 
@@ -3195,7 +3227,7 @@
 		$this->id = $insert_id;
 		$this->dataRecord = $params;
 
-		$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
+		$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
 
 		/*
 		if($app->db->errorMessage != '') {

--
Gitblit v1.9.1