Skip to content

Commit bfc7714

Browse files
author
Marius Cramer
committed
Fixes: FS#3364 - client_add does not check that reseller is actually reseller
additionally fixes this for client_update
1 parent a5e225d commit bfc7714

File tree

1 file changed

+37
-5
lines changed

1 file changed

+37
-5
lines changed

interface/lib/classes/remoting.inc.php

Lines changed: 37 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1415,13 +1415,30 @@ public function client_get_groupid($session_id, $client_id)
14151415

14161416
public function client_add($session_id, $reseller_id, $params)
14171417
{
1418+
global $app;
1419+
14181420
if (!$this->checkPerm($session_id, 'client_add'))
14191421
{
14201422
$this->server->fault('permission_denied', 'You do not have the permissions to access this function.');
14211423
return false;
14221424
}
14231425
if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
1424-
$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
1426+
1427+
if($params['parent_client_id']) {
1428+
// check if this one is reseller
1429+
$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
1430+
if($check['limit_client'] == 0) {
1431+
$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
1432+
return false;
1433+
}
1434+
1435+
if(isset($params['limit_client']) && $params['limit_client'] != 0) {
1436+
$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
1437+
return false;
1438+
}
1439+
}
1440+
1441+
$affected_rows = $this->klientadd('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $params);
14251442
return $affected_rows;
14261443

14271444
}
@@ -1437,9 +1454,25 @@ public function client_update($session_id, $client_id, $reseller_id, $params)
14371454
}
14381455

14391456
$app->uses('remoting_lib');
1440-
$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php');
1457+
$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php');
14411458
$old_rec = $app->remoting_lib->getDataRecord($client_id);
14421459

1460+
if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
1461+
1462+
if($params['parent_client_id']) {
1463+
// check if this one is reseller
1464+
$check = $app->db->queryOneRecord('SELECT `limit_client` FROM `client` WHERE `client_id` = ' . intval($client_id));
1465+
if($check['limit_client'] == 0) {
1466+
$this->server->fault('Invalid reseller', 'Selected client is not a reseller.');
1467+
return false;
1468+
}
1469+
1470+
if(isset($params['limit_client']) && $params['limit_client'] != 0) {
1471+
$this->server->fault('Invalid reseller', 'Reseller cannot be client of another reseller.');
1472+
return false;
1473+
}
1474+
}
1475+
14431476
// we need the previuos templates assigned here
14441477
$this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ' . $client_id);
14451478
if(!is_array($this->oldTemplatesAssigned) || count($this->oldTemplatesAssigned) < 1) {
@@ -1462,8 +1495,7 @@ public function client_update($session_id, $client_id, $reseller_id, $params)
14621495
}
14631496

14641497

1465-
if(!isset($params['parent_client_id']) || $params['parent_client_id'] == 0) $params['parent_client_id'] = $reseller_id;
1466-
$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($reseller_id ? 'reseller' : 'client') . ':on_after_update');
1498+
$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($params['parent_client_id'] ? 'reseller' : 'client') . ':on_after_update');
14671499

14681500
$app->remoting_lib->ispconfig_sysuser_update($params, $client_id);
14691501

@@ -3195,7 +3227,7 @@ protected function klientadd($formdef_file, $reseller_id, $params)
31953227
$this->id = $insert_id;
31963228
$this->dataRecord = $params;
31973229

3198-
$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
3230+
$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
31993231

32003232
/*
32013233
if($app->db->errorMessage != '') {

0 commit comments

Comments
 (0)