Commit c6f36f01 authored by Marius Cramer's avatar Marius Cramer
Browse files

Implemented FS#2531 - switch from a reseller to a client

parent e6e9e775
......@@ -52,7 +52,9 @@
<td class="tbl_col_country"><a href="#" onclick="loadContent('client/client_edit.php?id={tmpl_var name='id'}');"><div class="country-{tmpl_var name="countryiso"}" style="float:left"></div>{tmpl_var name="country"}</a></td>
<td class="tbl_col_buttons">
<tmpl_if name="is_admin">
<a class="button icons16 icoLoginAs" href="javascript: loadContent('admin/login_as.php?cid={tmpl_var name='id'}');"><span>{tmpl_var name='login_as_txt'}</span></a>
<a class="button icons16 icoLoginAs" href="javascript: loadContent('login/login_as.php?cid={tmpl_var name='id'}');"><span>{tmpl_var name='login_as_txt'}</span></a>
<tmpl_elseif name="is_reseller">
<a class="button icons16 icoLoginAs" href="javascript: loadContent('login/login_as.php?cid={tmpl_var name='id'}');"><span>{tmpl_var name='login_as_txt'}</span></a>
</tmpl_if>
<a class="button icons16 icoDelete" href="javascript: del_record('client/client_del.php?id={tmpl_var name='id'}&phpsessid={tmpl_var name='phpsessid'}','{tmpl_var name='delete_confirmation'}');"><span>{tmpl_var name='delete_txt'}</span></a>
</td>
......
......@@ -51,7 +51,7 @@
<td class="tbl_col_city"><a href="#" onclick="loadContent('client/reseller_edit.php?id={tmpl_var name='id'}');">{tmpl_var name="city"}</a></td>
<td class="tbl_col_country"><a href="#" onclick="loadContent('client/reseller_edit.php?id={tmpl_var name='id'}');"><div class="country-{tmpl_var name="countryiso"}" style="float:left"></div>{tmpl_var name="country"}</a></td>
<td class="tbl_col_buttons">
<a class="button icons16 icoLoginAs" href="javascript: loadContent('admin/login_as.php?cid={tmpl_var name='id'}');"><span>{tmpl_var name='login_as_txt'}</span></a>
<a class="button icons16 icoLoginAs" href="javascript: loadContent('login/login_as.php?cid={tmpl_var name='id'}');"><span>{tmpl_var name='login_as_txt'}</span></a>
<a class="button icons16 icoDelete" href="javascript: del_record('client/reseller_del.php?id={tmpl_var name='id'}&phpsessid={tmpl_var name='phpsessid'}','{tmpl_var name='delete_confirmation'}');"><span>{tmpl_var name='delete_txt'}</span></a>
</td>
</tr>
......
......@@ -85,21 +85,59 @@ class login_index {
*/
if (isset($_SESSION['s']['user']) && $_SESSION['s']['user']['active'] == 1){
/*
* only the admin can "login as" so if the user is NOT a admin, we
* only the admin or reseller can "login as" so if the user is NOT an admin or reseller, we
* open the startpage (after killing the old session), so the user
* is logout and has to start again!
*/
if ($_SESSION['s']['user']['typ'] != 'admin') {
if ($_SESSION['s']['user']['typ'] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
/*
* The actual user is NOT a admin, but maybe the admin
* has logged in as "normal" user bevore...
* The actual user is NOT a admin or reseller, but maybe he
* has logged in as "normal" user before...
*/
if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin')){
/* The "old" user is admin, so everything is ok */
if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin' || $app->auth->has_clients($_SESSION['s_old']['user']['userid']))){
/* The "old" user is admin or reseller, so everything is ok
* if he is reseller, we need to check if he logs in to one of his clients
*/
if($_SESSION['s_old']['user']['typ'] != 'admin') {
/* this is the one currently logged in (normal user) */
$old_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$old_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $old_client_group_id");
/* this is the reseller, that shall be re-logged in */
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
$tmp = $app->db->queryOneRecord($sql);
$client_group_id = $app->functions->intval($tmp['default_group']);
$tmp_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
if(!$tmp_client || $old_client["parent_client_id"] != $tmp_client["client_id"] || $tmp["default_group"] != $_SESSION["s_old"]["user"]["default_group"] ) {
die("You don't have the right to 'login as' this user!");
}
unset($old_client);
unset($tmp_client);
unset($tmp);
}
}
else {
die("You don't have the right to 'login as'!");
}
} elseif($_SESSION['s']['user']['typ'] != 'admin') {
/* a reseller wants to 'login as', we need to check if he is allowed to */
$res_client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$res_client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $res_client_group_id");
/* this is the user the reseller wants to 'login as' */
$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
$tmp = $app->db->queryOneRecord($sql);
$tmp_client = $app->db->queryOneRecord("SELECT client.client_id, client.parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = " . $app->functions->intval($tmp["default_group"]));
if(!$tmp || $tmp_client["parent_client_id"] != $res_client["client_id"]) {
die("You don't have the right to login as this user!");
}
unset($res_client);
unset($tmp);
unset($tmp_client);
}
$loginAs = true;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment