API: sites_web_domain_add allows adding nonexisting domains to clients, and allows exceeding client limits
Summary
See $SUBJECT.
Steps to reproduce
- Configure ISPconfig so that only admins can add domains, and clients can only use the domains which the admin has assigned to them.
- Use the SOAP API to add a website domain to a customer which (1) has no free domains left, and (2) has this domain not assigned.
- The call is successful and the domain is entered. But when viewing this site configuration in the web UI, the "domain" field is empty and the form is invalid.
Correct behaviour
- If no 'vhost' type is specified using the API, the domain is added but is completely invisible in the UI, so the entry is useless. Either the 'vhost' should be mandatory via API or have a sensible default (e.g. 'name').
- If the client_id has no web site quota left, the API call should not be accepted. Even the admin should not be able to exceed their own customers' quota.
- If only admins can add domains via ISPconfig, the website domain should be checked against this list and the client_id and the API call should be refused if the domain has not been configured in ISPconfig.
Environment
Ubuntu 22.04, ISPconfig 3.2.9p1 installed by autoinstaller script
Proposed fix
This (and probably other) checks should be done on the server side so using the API cannot create inconsistent database entries.
Edited by Jens