Fixes: FS#3364 - client_add does not check that reseller is actually reseller

additionally fixes this for client_update

interface/lib/classes/remoting.inc.php

@@ -1415,13 +1415,30 @@ class remoting {
 
 	public function client_add($session_id, $reseller_id, $params)
 	{
+		global $app;
+		
 		if (!$this->checkPerm($session_id, 'client_add'))
 		{
 			$this->server->fault('permission_denied', 'You do not have the permissions to access this function.');
 			return false;
 		}
 		if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
-		$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
+		
+		if($params['parent_client_id']) {
+			// check if this one is reseller
+			$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
+			if($check['limit_client'] == 0) {
+				$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
+				return false;
+			}
+			
+			if(isset($params['limit_client']) && $params['limit_client'] != 0) {
+				$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
+				return false;
+			}
+		}
+		
+		$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
 		return $affected_rows;
 
 	}
@@ -1437,9 +1454,25 @@ class remoting {
 		}
 
 		$app->uses('remoting_lib');
-		$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php');
+		$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php');
 		$old_rec = $app->remoting_lib->getDataRecord($client_id);
 
+		if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
+
+		if($params['parent_client_id']) {
+			// check if this one is reseller
+			$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
+			if($check['limit_client'] == 0) {
+				$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
+				return false;
+			}
+			
+			if(isset($params['limit_client']) && $params['limit_client'] != 0) {
+				$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
+				return false;
+			}
+		}
+
 		// we need the previuos templates assigned here
 		$this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ' . $client_id);
 		if(!is_array($this->oldTemplatesAssigned) || count($this->oldTemplatesAssigned) < 1) {
@@ -1462,8 +1495,7 @@ class remoting {
 		}
 
 
-		if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
-		$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($reseller_id ? 'reseller' : 'client') . ':on_after_update');
+		$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($params['parent_client_id'] ? 'reseller' : 'client') . ':on_after_update');
 
 		$app->remoting_lib->ispconfig_sysuser_update($params, $client_id);
 
@@ -3195,7 +3227,7 @@ class remoting {
 		$this->id = $insert_id;
 		$this->dataRecord = $params;
 
-		$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
+		$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
 
 		/*
 		if($app->db->errorMessage != '') {