From 80bee61fcda7e0f8e09e2f286514537c8555beef Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Thu, 24 May 2012 10:26:55 +0000
Subject: [PATCH] - Added circle access control so that 1) a reseller can
 create circles that contain only his clients, not all clients, and 2) a
 reseller can send messages only to his own circles instead of all circles.

---
 interface/web/client/client_message.php       | 20 ++++++++++++++-----
 .../web/client/form/client_circle.tform.php   |  2 +-
 .../web/client/lib/lang/de_client_message.lng |  1 +
 .../web/client/lib/lang/en_client_message.lng |  1 +
 .../web/client/templates/client_message.htm   |  2 +-
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php
index f9dd60e04..f64814ec1 100644
--- a/interface/web/client/client_message.php
+++ b/interface/web/client/client_message.php
@@ -36,7 +36,7 @@ $app->auth->check_module_permissions('client');
 //* This function is not available in demo mode
 if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
 
-$app->uses('tpl');
+$app->uses('tpl,tform');
 
 $app->tpl->newTemplate('form.tpl.htm');
 $app->tpl->setInclude('content_tpl', 'templates/client_message.htm');
@@ -60,7 +60,7 @@ if(isset($_POST) && count($_POST) > 1) {
 	//* Send message
 	if($error == '') {
 		if(intval($_POST['recipient']) > 0){
-			$circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ".intval($_POST['recipient']));
+			$circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ".intval($_POST['recipient'])." AND ".$app->tform->getAuthSQL('r'));
 			if(isset($circle['client_ids']) && $circle['client_ids'] != ''){
 				$tmp_client_ids = explode(',',$circle['client_ids']);
 				$where = array();
@@ -106,15 +106,25 @@ if(isset($_POST) && count($_POST) > 1) {
 		$app->tpl->setVar('subject',$_POST['subject']);
 		$app->tpl->setVar('message',$_POST['message']);
 	}
+} else {
+	// pre-fill Sender field with reseller's email address
+	if($_SESSION["s"]["user"]["typ"] != 'admin'){
+		$client_id = intval($_SESSION['s']['user']['client_id']);
+		if($client_id > 0){
+			$sql = "SELECT email FROM client WHERE client_id = ".$client_id;
+			$client = $app->db->queryOneRecord($sql);
+			if($client['email'] != '') $app->tpl->setVar('sender',$client['email']);
+		}
+	}
 }
 
 // Recipient Drop-Down
-$recipient = '<option value="0">'.$wb['all_clients_resellers_txt'].'</option>';
-$sql = "SELECT * FROM client_circle WHERE active = 'y'";
+$recipient = '<option value="0"'.(intval($_POST['recipient']) == 0 ? ' selected="selected"' : '').'>'.($_SESSION["s"]["user"]["typ"] == 'admin'? $wb['all_clients_resellers_txt'] : $wb['all_clients_txt']).'</option>';
+$sql = "SELECT * FROM client_circle WHERE active = 'y' AND ".$app->tform->getAuthSQL('r');
 $circles = $app->db->queryAllRecords($sql);
 if(is_array($circles) && !empty($circles)){
 	foreach($circles as $circle){
-		$recipient .= '<option value="'.$circle['circle_id'].'">'.$circle['circle_name'].'</option>';
+		$recipient .= '<option value="'.$circle['circle_id'].'"'.(intval($_POST['recipient']) == $circle['circle_id'] ? ' selected="selected"' : '').'>'.$circle['circle_name'].'</option>';
 	}
 }
 $app->tpl->setVar('recipient',$recipient);
diff --git a/interface/web/client/form/client_circle.tform.php b/interface/web/client/form/client_circle.tform.php
index c2f323286..96cb0da5a 100644
--- a/interface/web/client/form/client_circle.tform.php
+++ b/interface/web/client/form/client_circle.tform.php
@@ -104,7 +104,7 @@ $form["tabs"]['circle'] = array (
 			'default'	=> '',
 			'separator' => ',',
 			'datasource'	=> array ( 	'type'	=> 'SQL',
-										'querystring' => 'SELECT client_id,contact_name FROM client WHERE 1 ORDER BY contact_name',
+										'querystring' => 'SELECT client_id,contact_name FROM client WHERE {AUTHSQL} ORDER BY contact_name',
 										'keyfield'=> 'client_id',
 										'valuefield'=> 'contact_name'
 									 ),
diff --git a/interface/web/client/lib/lang/de_client_message.lng b/interface/web/client/lib/lang/de_client_message.lng
index 79de5b900..ffc297525 100644
--- a/interface/web/client/lib/lang/de_client_message.lng
+++ b/interface/web/client/lib/lang/de_client_message.lng
@@ -12,4 +12,5 @@ $wb["message_invalid_error"] = 'Nachricht ist leer.';
 $wb["email_sent_to_txt"] = 'E-Mail verschickt an:';
 $wb["recipient_txt"] = 'Empfänger';
 $wb["all_clients_resellers_txt"] = 'Alle Kunden und Reseller';
+$wb["all_clients_txt"] = 'Alle Kunden';
 ?>
diff --git a/interface/web/client/lib/lang/en_client_message.lng b/interface/web/client/lib/lang/en_client_message.lng
index e9c916932..e3f603e4c 100644
--- a/interface/web/client/lib/lang/en_client_message.lng
+++ b/interface/web/client/lib/lang/en_client_message.lng
@@ -12,4 +12,5 @@ $wb["message_invalid_error"] = 'Message is empty.';
 $wb["email_sent_to_txt"] = 'Email sent to:';
 $wb["recipient_txt"] = 'Recipient';
 $wb["all_clients_resellers_txt"] = 'All clients and resellers';
+$wb["all_clients_txt"] = 'All clients';
 ?>
diff --git a/interface/web/client/templates/client_message.htm b/interface/web/client/templates/client_message.htm
index 64201f229..d8fdb1c03 100644
--- a/interface/web/client/templates/client_message.htm
+++ b/interface/web/client/templates/client_message.htm
@@ -12,7 +12,7 @@
   </tmpl_if>
 	  <div class="ctrlHolder">
       	<label for="sender">{tmpl_var name='sender_txt'}</label>
-        <input name="sender" id="sender" value="{tmpl_var name='sender'}" style="width:500px" size="30" maxlength="255" type="text" class="textInput" />
+        <input name="sender" id="sender" value="{tmpl_var name='sender'}" size="30" maxlength="255" type="text" class="textInput" />
 	  </div>
 	  <div class="ctrlHolder">
 					<label for="recipient">{tmpl_var name='recipient_txt'}</label>
-- 
GitLab