From daeda679cdab5a18d0d57ff177f1152ceaad706e Mon Sep 17 00:00:00 2001
From: mcramer <m.cramer@pixcept.de>
Date: Tue, 06 Aug 2013 14:24:47 -0400
Subject: [PATCH] - Fixed: Needed permission check of parent domain (folder)
---
interface/web/sites/web_folder_edit.php | 3 ++-
interface/web/sites/webdav_user_edit.php | 3 ++-
interface/web/sites/web_aliasdomain_edit.php | 3 ++-
interface/web/sites/web_vhost_subdomain_edit.php | 3 ++-
interface/web/sites/shell_user_edit.php | 3 ++-
interface/web/sites/web_subdomain_edit.php | 3 ++-
interface/web/sites/cron_edit.php | 3 ++-
interface/web/sites/database_edit.php | 5 ++++-
interface/web/sites/ftp_user_edit.php | 3 ++-
interface/web/sites/web_folder_user_edit.php | 3 ++-
10 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/interface/web/sites/cron_edit.php b/interface/web/sites/cron_edit.php
index 4c584d1..fea4a7b 100644
--- a/interface/web/sites/cron_edit.php
+++ b/interface/web/sites/cron_edit.php
@@ -104,7 +104,8 @@
}
// Get the record of the parent domain
- $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
// Set fixed values
$this->dataRecord["server_id"] = $parent_domain["server_id"];
diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php
index 8dc3ab3..99e0bbd 100644
--- a/interface/web/sites/database_edit.php
+++ b/interface/web/sites/database_edit.php
@@ -136,6 +136,9 @@
function onSubmit() {
global $app, $conf;
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
+
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
@@ -186,7 +189,7 @@
function onBeforeUpdate() {
global $app, $conf, $interfaceConf;
- //* Site shell not be empty
+ //* Site shall not be empty
if($this->dataRecord['parent_domain_id'] == 0) $app->tform->errorMessage .= $app->tform->lng("database_site_error_empty").'<br />';
//* Get the database name and database user prefix
diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php
index 798233d..0bc3801 100644
--- a/interface/web/sites/ftp_user_edit.php
+++ b/interface/web/sites/ftp_user_edit.php
@@ -91,7 +91,8 @@
global $app, $conf;
// Get the record of the parent domain
- $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
// Set a few fixed values
$this->dataRecord["server_id"] = $parent_domain["server_id"];
diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php
index b14963a..f7ef5b7 100644
--- a/interface/web/sites/shell_user_edit.php
+++ b/interface/web/sites/shell_user_edit.php
@@ -99,7 +99,8 @@
global $app, $conf;
// Get the record of the parent domain
- $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
// Set a few fixed values
$this->dataRecord["server_id"] = $parent_domain["server_id"];
diff --git a/interface/web/sites/web_aliasdomain_edit.php b/interface/web/sites/web_aliasdomain_edit.php
index 150cb36..1d05a5e 100644
--- a/interface/web/sites/web_aliasdomain_edit.php
+++ b/interface/web/sites/web_aliasdomain_edit.php
@@ -143,7 +143,8 @@
}
// Get the record of the parent domain
- $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
// Set a few fixed values
$this->dataRecord["type"] = 'alias';
diff --git a/interface/web/sites/web_folder_edit.php b/interface/web/sites/web_folder_edit.php
index 178c2af..2f888a1 100644
--- a/interface/web/sites/web_folder_edit.php
+++ b/interface/web/sites/web_folder_edit.php
@@ -55,7 +55,8 @@
global $app, $conf;
// Get the record of the parent domain
- $parent_domain = $app->db->queryOneRecord("select server_id FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
// Set a few fixed values
$this->dataRecord["server_id"] = $parent_domain["server_id"];
diff --git a/interface/web/sites/web_folder_user_edit.php b/interface/web/sites/web_folder_user_edit.php
index 95a8864..f2650f5 100644
--- a/interface/web/sites/web_folder_user_edit.php
+++ b/interface/web/sites/web_folder_user_edit.php
@@ -55,7 +55,8 @@
global $app, $conf;
// Get the record of the parent domain
- $folder = $app->db->queryOneRecord("select server_id FROM web_folder WHERE web_folder_id = ".$app->functions->intval(@$this->dataRecord["web_folder_id"]));
+ $folder = $app->db->queryOneRecord("select * FROM web_folder WHERE web_folder_id = ".$app->functions->intval(@$this->dataRecord["web_folder_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$folder || $folder['web_folder_id'] != @$this->dataRecord['web_folder_id']) $app->tform->errorMessage .= $app->tform->lng("no_folder_perm"););
// Set a few fixed values
$this->dataRecord["server_id"] = $folder["server_id"];
diff --git a/interface/web/sites/web_subdomain_edit.php b/interface/web/sites/web_subdomain_edit.php
index ae9ee07..3475ed5 100644
--- a/interface/web/sites/web_subdomain_edit.php
+++ b/interface/web/sites/web_subdomain_edit.php
@@ -132,7 +132,8 @@
global $app, $conf;
// Get the record of the parent domain
- $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
$app->uses('ini_parser,getconf');
$settings = $app->getconf->get_global_config('domains');
diff --git a/interface/web/sites/web_vhost_subdomain_edit.php b/interface/web/sites/web_vhost_subdomain_edit.php
index a249798..f4ff2ab 100644
--- a/interface/web/sites/web_vhost_subdomain_edit.php
+++ b/interface/web/sites/web_vhost_subdomain_edit.php
@@ -321,7 +321,8 @@
unset($tmp);
}
- $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
// Set a few fixed values
$this->dataRecord["type"] = 'vhostsubdomain';
diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php
index c6eaaf9..377b00e 100644
--- a/interface/web/sites/webdav_user_edit.php
+++ b/interface/web/sites/webdav_user_edit.php
@@ -98,7 +98,8 @@
global $app, $conf;
/* Get the record of the parent domain */
- $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]));
+ $parent_domain = $app->db->queryOneRecord("select * FROM web_domain WHERE domain_id = ".$app->functions->intval(@$this->dataRecord["parent_domain_id"]) . " AND ".$app->tform->getAuthSQL('r'));
+ if(!$parent_domain || $parent_domain['domain_id'] != @$this->dataRecord['parent_domain_id']) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
/*
* Set a few fixed values
--
Gitblit v1.9.1