Implemented FS#2531 - switch from a reseller to a client

interface/web/admin/login_as.php → interface/web/login/login_as.php

@@ -31,11 +31,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 require_once '../../lib/config.inc.php';
 require_once '../../lib/app.inc.php';
 
-/* Check permissions for module */
-$app->auth->check_module_permissions('admin');
+/* check if the user is logged in */
+if(!isset($_SESSION['s']['user'])) {
+	die ("You have to be logged in to login as other user!");
+}
 
-/* for security reasons ONLY the admin can login as other user */
-if ($_SESSION["s"]["user"]["typ"] != 'admin') {
+/* for security reasons ONLY the admin or a reseller can login as other user */
+if ($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
 	die ("You don't have the right to login as other user!");
 }
 
@@ -45,13 +47,26 @@ if (!isset($_GET['id']) && !isset($_GET['cid'])){
 }
 
 if(isset($_GET['id'])) {
+	if($_SESSION["s"]["user"]["typ"] != 'admin') {
+		die ("You don't have the right to login as system user!");
+	}
 	$userId = $app->functions->intval($_GET['id']);
 	$backlink = 'admin/users_list.php';
 } else {
 	$client_id = $app->functions->intval($_GET['cid']);
-	$tmp_client = $app->db->queryOneRecord("SELECT username FROM client WHERE client_id = $client_id");
+	$tmp_client = $app->db->queryOneRecord("SELECT username, parent_client_id FROM client WHERE client_id = $client_id");
 	$tmp_sys_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE username = '".$app->db->quote($tmp_client['username'])."'");
 	$userId = $app->functions->intval($tmp_sys_user['userid']);
+	/* check if this client belongs to reseller that tries to log in, if we are not admin */
+	if($_SESSION["s"]["user"]["typ"] != 'admin') {
+		$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
+		$client = $app->db->queryOneRecord("SELECT client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+		if(!$client || $tmp_client["parent_client_id"] != $client["client_id"]) {
+			die("You don't have the right to login as this user!");
+		}
+		unset($client);
+	}
+	
 	unset($tmp_client);
 	unset($tmp_sys_user);
 	$backlink = 'client/client_list.php';

interface/web/login/logout.php

@@ -40,11 +40,12 @@ if (isset($_GET['l']) && ($_GET['l']== 1)) $forceLogout = true;
  * if the admin is logged in as client, then ask, if the admin want't to
  * "re-login" as admin again
  */
-if ((isset($_SESSION['s_old']) && ($_SESSION['s_old']['user']['typ'] == 'admin')) &&
+if ((isset($_SESSION['s_old']) && ($_SESSION['s_old']['user']['typ'] == 'admin' || $app->auth->has_clients($_SESSION['s_old']['user']['userid']))) &&
 	(!$forceLogout)){
+	$utype = ($_SESSION['s_old']['user']['typ'] == 'admin' ? 'admin' : 'reseller');
 	echo '
 		<br /> <br />	<br /> <br />
-		Do you want to re-login as admin or log out?<br />
+		Do you want to re-login as ' . $utype . ' or log out?<br />
 		<div style="visibility:hidden">
 			<input type="text" name="username" value="' . $_SESSION['s_old']['user']['username'] . '" />
 			<input type="password" name="passwort" value="' . $_SESSION['s_old']['user']['passwort'] .'" />
@@ -52,7 +53,7 @@ if ((isset($_SESSION['s_old']) && ($_SESSION['s_old']['user']['typ'] == 'admin')
 		<input type="hidden" name="s_mod" value="login" />
 		<input type="hidden" name="s_pg" value="index" />
 	    <div class="wf_actions buttons">
-	      <button class="positive iconstxt icoPositive" type="button" value="Yes, re-login as Admin" onclick="submitLoginForm(' . "'pageForm'" . ');"><span>Yes, re-login as Admin</span></button>
+	      <button class="positive iconstxt icoPositive" type="button" value="Yes, re-login as ' . $utype . '" onclick="submitLoginForm(' . "'pageForm'" . ');"><span>Yes, re-login as ' . $utype . '</span></button>
 	      <button class="negative iconstxt icoNegative" type="button" value="No, logout" onclick="loadContent('. "'login/logout.php?l=1'" . ');"><span>No, logout</span></button>
 	    </div>
 	';