Skip to content

Commit 08a1fd9

Browse files
tbrehmtbrehm
committed
Implements #6869 Restrict client_add function of the remote API to interface_modules_enabled
1 parent e414a41 commit 08a1fd9

File tree

1 file changed

+22
-2
lines changed

1 file changed

+22
-2
lines changed

interface/lib/classes/remoting_lib.inc.php

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -297,6 +297,16 @@ function ispconfig_sysuser_add($params, $insert_id){
297297
$modules = $conf['interface_modules_enabled'];
298298
} else {
299299
$modules = $params['modules'];
300+
301+
// Check if modules are allowed and remove unknown modules
302+
$allowed_modules = explode(',', $conf['interface_modules_enabled']);
303+
$modules_array = explode(',', $modules);
304+
foreach($modules_array as $key => $module) {
305+
if(!in_array($module, $allowed_modules)) {
306+
unset($modules_array[$key]);
307+
}
308+
}
309+
$modules = implode(',', $modules_array);
300310
}
301311
if(isset($params['limit_client']) && $params['limit_client'] > 0) {
302312
$modules .= ',client';
@@ -306,7 +316,7 @@ function ispconfig_sysuser_add($params, $insert_id){
306316
$startmodule = 'dashboard';
307317
} else {
308318
$startmodule = $params["startmodule"];
309-
if(!preg_match('/'.$startmodule.'/', $modules)) {
319+
if(!in_array($startmodule, explode(',', $modules))) {
310320
$_modules = explode(',', $modules);
311321
$startmodule=$_modules[0];
312322
}
@@ -325,13 +335,23 @@ function ispconfig_sysuser_add($params, $insert_id){
325335
}
326336

327337
function ispconfig_sysuser_update($params, $client_id){
328-
global $app;
338+
global $app, $conf;
329339
$username = $params["username"];
330340
$clear_password = $params["password"];
331341
$language = $params['language'];
332342
$modules = $params['modules'];
333343
$client_id = $app->functions->intval($client_id);
334344

345+
// Check if modules are allowed and remove unknown modules
346+
$allowed_modules = explode(',', $conf['interface_modules_enabled']);
347+
$modules_array = explode(',', $modules);
348+
foreach($modules_array as $key => $module) {
349+
if(!in_array($module, $allowed_modules)) {
350+
unset($modules_array[$key]);
351+
}
352+
}
353+
$modules = implode(',', $modules_array);
354+
335355
if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($clear_password));
336356
else $password = $clear_password;
337357
$params = array($username);

0 commit comments

Comments
 (0)