Commit bfc77147 authored by Marius Cramer's avatar Marius Cramer

Fixes: FS#3364 - client_add does not check that reseller is actually reseller

additionally fixes this for client_update
parent a5e225d6
......@@ -1415,13 +1415,30 @@ class remoting {
public function client_add($session_id, $reseller_id, $params)
{
global $app;
if (!$this->checkPerm($session_id, 'client_add'))
{
$this->server->fault('permission_denied', 'You do not have the permissions to access this function.');
return false;
}
if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
if($params['parent_client_id']) {
// check if this one is reseller
$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
if($check['limit_client'] == 0) {
$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
return false;
}
if(isset($params['limit_client']) && $params['limit_client'] != 0) {
$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
return false;
}
}
$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
return $affected_rows;
}
......@@ -1437,9 +1454,25 @@ class remoting {
}
$app->uses('remoting_lib');
$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php');
$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php');
$old_rec = $app->remoting_lib->getDataRecord($client_id);
if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
if($params['parent_client_id']) {
// check if this one is reseller
$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
if($check['limit_client'] == 0) {
$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
return false;
}
if(isset($params['limit_client']) && $params['limit_client'] != 0) {
$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
return false;
}
}
// we need the previuos templates assigned here
$this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ' . $client_id);
if(!is_array($this->oldTemplatesAssigned) || count($this->oldTemplatesAssigned) < 1) {
......@@ -1462,8 +1495,7 @@ class remoting {
}
if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($reseller_id ? 'reseller' : 'client') . ':on_after_update');
$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($params['parent_client_id'] ? 'reseller' : 'client') . ':on_after_update');
$app->remoting_lib->ispconfig_sysuser_update($params, $client_id);
......@@ -3195,7 +3227,7 @@ class remoting {
$this->id = $insert_id;
$this->dataRecord = $params;
$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
/*
if($app->db->errorMessage != '') {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment