From 9edea9976bd605071e0694a90d704266c0b7e0f9 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 14 Aug 2014 11:30:03 -0400
Subject: [PATCH] - Added warning in the interface when a path for a shelluser is set that is outside of the website docroot. - Added security settings feature to allow the root user of a server to control most aspects of whet the admin user of the controlpanel is allowed to do in system settings. This is especially useful for managed severs where the ispconfig admin user and the root user of the server are different persons.
---
interface/web/client/client_message.php | 115 ++++++++++++++++++++++++++++++++++++++++++++-------------
1 files changed, 88 insertions(+), 27 deletions(-)
diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php
index f555c99..5707e88 100644
--- a/interface/web/client/client_message.php
+++ b/interface/web/client/client_message.php
@@ -27,8 +27,8 @@
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
+require_once '../../lib/config.inc.php';
+require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('client');
@@ -36,14 +36,14 @@
//* This function is not available in demo mode
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
-$app->uses('tpl');
+$app->uses('tpl,tform');
$app->tpl->newTemplate('form.tpl.htm');
$app->tpl->setInclude('content_tpl', 'templates/client_message.htm');
-//* load language file
+//* load language file
$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_client_message.lng';
-include($lng_file);
+include $lng_file;
$app->tpl->setVar($wb);
$msg = '';
@@ -51,57 +51,118 @@
//* Save data
if(isset($_POST) && count($_POST) > 1) {
-
+
//* Check values
if(!preg_match("/^\w+[\w\.\-\+]*\w{0,}@\w+[\w.-]*\w+\.[a-zA-Z0-9\-]{2,30}$/i", $_POST['sender'])) $error .= $wb['sender_invalid_error'].'<br />';
if(empty($_POST['subject'])) $error .= $wb['subject_invalid_error'].'<br />';
if(empty($_POST['message'])) $error .= $wb['message_invalid_error'].'<br />';
-
+
//* Send message
if($error == '') {
- //* Select all clients and resellers
- if($_SESSION["s"]["user"]["typ"] == 'admin'){
- $sql = "SELECT * FROM client WHERE email != ''";
+ if($app->functions->intval($_POST['recipient']) > 0){
+ $circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ".$app->functions->intval($_POST['recipient'])." AND ".$app->tform->getAuthSQL('r'));
+ if(isset($circle['client_ids']) && $circle['client_ids'] != ''){
+ $tmp_client_ids = explode(',', $circle['client_ids']);
+ $where = array();
+ foreach($tmp_client_ids as $tmp_client_id){
+ $where[] = 'client_id = '.$app->functions->intval($tmp_client_id);
+ }
+ if(!empty($where)) $where_clause = ' AND ('.implode(' OR ', $where).')';
+ $sql = "SELECT * FROM client WHERE email != ''".$where_clause;
+ } else {
+ $sql = "SELECT * FROM client WHERE 0";
+ }
} else {
- $client_id = intval($_SESSION['s']['user']['client_id']);
- if($client_id == 0) die('Invalid Client ID.');
- $sql = "SELECT * FROM client WHERE email != '' AND parent_client_id = '$client_id'";
+ //* Select all clients and resellers
+ if($_SESSION["s"]["user"]["typ"] == 'admin'){
+ $sql = "SELECT * FROM client WHERE email != ''";
+ } else {
+ $client_id = $app->functions->intval($_SESSION['s']['user']['client_id']);
+ if($client_id == 0) die('Invalid Client ID.');
+ $sql = "SELECT * FROM client WHERE email != '' AND parent_client_id = '$client_id'";
+ }
}
-
+
//* Get clients
$clients = $app->db->queryAllRecords($sql);
if(is_array($clients)) {
$msg = $wb['email_sent_to_txt'].' ';
foreach($clients as $client) {
-
- //* Parse cleint details into message
+ //* Parse client details into message
$message = $_POST['message'];
foreach($client as $key => $val) {
- $message = str_replace('{'.$key.'}', $val, $message);
+ switch ($key) {
+ case 'password':
+ $message = str_replace('{'.$key.'}', '---', $message);
+ break;
+ case 'gender':
+ $message = str_replace('{salutation}', $wb['gender_'.$val.'_txt'], $message);
+ break;
+ default:
+ $message = str_replace('{'.$key.'}', $val, $message);
+ }
}
-
+
//* Send the email
$app->functions->mail($client['email'], $_POST['subject'], $message, $_POST['sender']);
$msg .= $client['email'].', ';
}
- $msg = substr($msg,0,-2);
+ $msg = substr($msg, 0, -2);
}
-
+
} else {
- $app->tpl->setVar('sender',$_POST['sender']);
- $app->tpl->setVar('subject',$_POST['subject']);
- $app->tpl->setVar('message',$_POST['message']);
+ $app->tpl->setVar('sender', $_POST['sender']);
+ $app->tpl->setVar('subject', $_POST['subject']);
+ $app->tpl->setVar('message', $_POST['message']);
+ }
+} else {
+ // pre-fill Sender field with reseller's email address
+ if($_SESSION["s"]["user"]["typ"] != 'admin'){
+ $client_id = $app->functions->intval($_SESSION['s']['user']['client_id']);
+ if($client_id > 0){
+ $sql = "SELECT email FROM client WHERE client_id = ".$client_id;
+ $client = $app->db->queryOneRecord($sql);
+ if($client['email'] != '') $app->tpl->setVar('sender', $client['email']);
+ }
}
}
+// Recipient Drop-Down
+$recipient = '<option value="0"'.($app->functions->intval($_POST['recipient']) == 0 ? ' selected="selected"' : '').'>'.($_SESSION["s"]["user"]["typ"] == 'admin'? $wb['all_clients_resellers_txt'] : $wb['all_clients_txt']).'</option>';
+$sql = "SELECT * FROM client_circle WHERE active = 'y' AND ".$app->tform->getAuthSQL('r');
+$circles = $app->db->queryAllRecords($sql);
+if(is_array($circles) && !empty($circles)){
+ foreach($circles as $circle){
+ $recipient .= '<option value="'.$circle['circle_id'].'"'.($app->functions->intval($_POST['recipient']) == $circle['circle_id'] ? ' selected="selected"' : '').'>'.$circle['circle_name'].'</option>';
+ }
+}
+$app->tpl->setVar('recipient', $recipient);
+
if($_SESSION["s"]["user"]["typ"] == 'admin'){
- $app->tpl->setVar('form_legend_txt',$wb['form_legend_admin_txt']);
+ $app->tpl->setVar('form_legend_txt', $wb['form_legend_admin_txt']);
} else {
- $app->tpl->setVar('form_legend_txt',$wb['form_legend_client_txt']);
+ $app->tpl->setVar('form_legend_txt', $wb['form_legend_client_txt']);
}
-$app->tpl->setVar('okmsg',$msg);
-$app->tpl->setVar('error',$error);
+//message variables
+$message_variables = '';
+$sql = "SHOW COLUMNS FROM client WHERE Field NOT IN ('client_id', 'sys_userid', 'sys_groupid', 'sys_perm_user', 'sys_perm_group', 'sys_perm_other', 'password', 'parent_client_id', 'id_rsa', 'ssh_rsa', 'created_at', 'default_mailserver', 'default_webserver', 'web_php_options', 'ssh_chroot', 'default_dnsserver', 'default_dbserver', 'template_master', 'template_additional', 'force_suexec', 'default_slave_dnsserver', 'usertheme', 'locked', 'canceled', 'can_use_api', 'tmp_data', 'customer_no_template', 'customer_no_start', 'customer_no_counter', 'added_date', 'added_by') AND Field NOT LIKE 'limit_%'";
+$field_names = $app->db->queryAllRecords($sql);
+if(!empty($field_names) && is_array($field_names)){
+ foreach($field_names as $field_name){
+ if($field_name['Field'] != ''){
+ if($field_name['Field'] == 'gender'){
+ $message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{salutation}</a> ';
+ } else {
+ $message_variables .= '<a href="javascript:void(0);" class="addPlaceholder">{'.$field_name['Field'].'}</a> ';
+ }
+ }
+ }
+}
+$app->tpl->setVar('message_variables', trim($message_variables));
+
+$app->tpl->setVar('okmsg', $msg);
+$app->tpl->setVar('error', $error);
$app->tpl_defaults();
$app->tpl->pparse();
--
Gitblit v1.9.1