From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty
---
interface/lib/classes/remote.d/client.inc.php | 29 ++++++++++++++++++++++++-----
1 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/interface/lib/classes/remote.d/client.inc.php b/interface/lib/classes/remote.d/client.inc.php
index f0c7b8f..cccc04f 100644
--- a/interface/lib/classes/remote.d/client.inc.php
+++ b/interface/lib/classes/remote.d/client.inc.php
@@ -400,10 +400,10 @@
$app->auth->remove_group_from_user($parent_user['userid'], $client_group['groupid']);
//* delete the group of the client
- $app->db->query("DELETE FROM sys_group WHERE client_id = ", $client_id);
+ $app->db->query("DELETE FROM sys_group WHERE client_id = ?", $client_id);
//* delete the sys user(s) of the client
- $app->db->query("DELETE FROM sys_user WHERE client_id = ", $client_id);
+ $app->db->query("DELETE FROM sys_user WHERE client_id = ?", $client_id);
//* Delete all records (sub-clients, mail, web, etc....) of this client.
$tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_traffic';
@@ -413,7 +413,7 @@
if($client_group_id > 1) {
foreach($tables_array as $table) {
if($table != '') {
- $records = $app->db->queryAllRecords("SELECT * FROM $table WHERE sys_groupid = ", $client_group_id);
+ $records = $app->db->queryAllRecords("SELECT * FROM $table WHERE sys_groupid = ?", $client_group_id);
//* find the primary ID of the table
$table_info = $app->db->tableInfo($table);
$index_field = '';
@@ -468,12 +468,32 @@
throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
return false;
}
- $username = $app->db->quote($username);
$rec = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE username = ?", $username);
if (isset($rec)) {
return $rec;
} else {
throw new SoapFault('no_client_found', 'There is no user account for this user name.');
+ return false;
+ }
+ }
+
+ public function client_get_by_customer_no($session_id, $customer_no) {
+ global $app;
+ if(!$this->checkPerm($session_id, 'client_get_by_customer_no')) {
+ throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
+ return false;
+ }
+ $customer_no = trim($customer_no);
+ if($customer_no == '') {
+ throw new SoapFault('permission_denied', 'There was no customer number specified.');
+ return false;
+ }
+ $customer_no = $app->db->quote($customer_no);
+ $rec = $app->db->queryOneRecord("SELECT * FROM client WHERE customer_no = '".$customer_no."'");
+ if (isset($rec)) {
+ return $rec;
+ } else {
+ throw new SoapFault('no_client_found', 'There is no user account for this customer number.');
return false;
}
}
@@ -519,7 +539,6 @@
$client_id = $app->functions->intval($client_id);
$client = $app->db->queryOneRecord("SELECT client_id FROM client WHERE client_id = ?", $client_id);
if($client['client_id'] > 0) {
- $new_password = $app->db->quote($new_password);
$sql = "UPDATE client SET password = md5(?) WHERE client_id = ?";
$app->db->query($sql, $new_password, $client_id);
$sql = "UPDATE sys_user SET passwort = md5(?) WHERE client_id = ?";
--
Gitblit v1.9.1