Remote API: Check client modules against interface_modules_enabled setting in conf.

tbrehm · tbrehm · commit fdfa05a80637 · 2025-04-29T10:57:01.000+02:00
Add is_admin check beside the existing is admin module check in edit and delete functions of the admin module.
diff --git a/interface/lib/classes/remoting_lib.inc.php b/interface/lib/classes/remoting_lib.inc.php
@@ -296,7 +296,14 @@ function ispconfig_sysuser_add($params, $insert_id){
 		if(!isset($params['modules'])) {
 			$modules = $conf['interface_modules_enabled'];
 		} else {
+			// Check if modules are allowed
+			$allowed_modules = explode(',', $conf['interface_modules_enabled']);
 			$modules = $params['modules'];
+			foreach(explode(',', $modules) as $module) {
+				if(!in_array($module, $allowed_modules)) {
+					throw new SoapFault('Invalid modules', 'Module '.$module.' is not allowed.');
+				}
+			}
 		}
 		if(isset($params['limit_client']) && $params['limit_client'] > 0) {
 			$modules .= ',client';
@@ -306,7 +313,7 @@ function ispconfig_sysuser_add($params, $insert_id){
 			$startmodule = 'dashboard';
 		} else {
 			$startmodule = $params["startmodule"];
-			if(!preg_match('/'.$startmodule.'/', $modules)) {
+			if(!in_array($startmodule, explode(',', $modules))) {
 				$_modules = explode(',', $modules);
 				$startmodule=$_modules[0];
 			}
diff --git a/interface/web/admin/directive_snippets_del.php b/interface/web/admin/directive_snippets_del.php
@@ -44,6 +44,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->load("tform_actions");
 
diff --git a/interface/web/admin/directive_snippets_edit.php b/interface/web/admin/directive_snippets_edit.php
@@ -43,6 +43,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/extension_edit.php b/interface/web/admin/extension_edit.php
@@ -33,6 +33,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 //* load language file
 $lng_file = 'lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'_extension_install_list.lng';
diff --git a/interface/web/admin/firewall_del.php b/interface/web/admin/firewall_del.php
@@ -45,6 +45,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_firewall_config');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses("tform_actions");
 $app->tform_actions->onDelete();
diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php
@@ -44,6 +44,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_firewall_config');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/groups_del.php b/interface/web/admin/groups_del.php
@@ -45,6 +45,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_cpuser_group');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses("tform_actions");
 $app->tform_actions->onDelete();
diff --git a/interface/web/admin/groups_edit.php b/interface/web/admin/groups_edit.php
@@ -44,6 +44,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_cpuser_group');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/iptables_del.php b/interface/web/admin/iptables_del.php
@@ -44,6 +44,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses("tform_actions");
 $app->tform_actions->onDelete();
diff --git a/interface/web/admin/iptables_edit.php b/interface/web/admin/iptables_edit.php
@@ -44,6 +44,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/language_add.php b/interface/web/admin/language_add.php
@@ -33,6 +33,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_langedit');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 //* This is only allowed for administrators
 if(!$app->auth->is_admin()) die('only allowed for administrators.');
diff --git a/interface/web/admin/language_complete.php b/interface/web/admin/language_complete.php
@@ -33,6 +33,8 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_langedit');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
+
 if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
 
 //* This is only allowed for administrators
diff --git a/interface/web/admin/language_edit.php b/interface/web/admin/language_edit.php
@@ -33,9 +33,8 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_langedit');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
-//* This is only allowed for administrators
-if(!$app->auth->is_admin()) die('only allowed for administrators.');
 if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
 
 $app->uses('tpl');
diff --git a/interface/web/admin/remote_user_del.php b/interface/web/admin/remote_user_del.php
@@ -45,6 +45,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_remote_users');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses('tpl,tform');
 $app->load('tform_actions');
diff --git a/interface/web/admin/remote_user_edit.php b/interface/web/admin/remote_user_edit.php
@@ -15,6 +15,7 @@
 
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_remote_users');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Disable this function in demo mode
 if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
diff --git a/interface/web/admin/server_config_del.php b/interface/web/admin/server_config_del.php
@@ -46,6 +46,7 @@
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_config');
 if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses("tform_actions");
 $app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_config_edit.php b/interface/web/admin/server_config_edit.php
@@ -44,6 +44,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_config');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 
 // Loading classes
diff --git a/interface/web/admin/server_del.php b/interface/web/admin/server_del.php
@@ -46,6 +46,7 @@
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_services');
 if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses("tform_actions");
 $app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php
@@ -44,6 +44,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_services');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_ip_del.php b/interface/web/admin/server_ip_del.php
@@ -45,6 +45,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_ip');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses("tform_actions");
 $app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_ip_edit.php b/interface/web/admin/server_ip_edit.php
@@ -44,6 +44,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_ip');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_ip_map_del.php b/interface/web/admin/server_ip_map_del.php
@@ -37,6 +37,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_ip');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses("tform_actions");
 $app->tform_actions->onDelete();
diff --git a/interface/web/admin/server_ip_map_edit.php b/interface/web/admin/server_ip_map_edit.php
@@ -35,6 +35,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_ip');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/server_php_del.php b/interface/web/admin/server_php_del.php
@@ -45,6 +45,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_php');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 $app->uses('tpl,tform,tform_actions');
 $app->load('tform_actions');
diff --git a/interface/web/admin/server_php_edit.php b/interface/web/admin/server_php_edit.php
@@ -44,6 +44,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_server_php');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php
@@ -44,6 +44,7 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_system_config');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/admin/users_del.php b/interface/web/admin/users_del.php
@@ -45,6 +45,8 @@
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
 $app->auth->check_security_permissions('admin_allow_del_cpuser');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
+
 if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
 
 $app->uses("tform_actions");
diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php
@@ -43,6 +43,7 @@
 
 //* Check permissions for module
 $app->auth->check_module_permissions('admin');
+if(!$app->auth->is_admin()) $app->error('This function needs admin privileges');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
