From e0dc711c2b2dc4e2ec397d7f53910f11e1ca4ade Mon Sep 17 00:00:00 2001
From: mcramer <m.cramer@pixcept.de>
Date: Mon, 02 Sep 2013 04:14:56 -0400
Subject: [PATCH] - Changed previous commit to check for read permissions only on download action

---
 interface/lib/classes/plugin_backuplist.inc.php |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/interface/lib/classes/plugin_backuplist.inc.php b/interface/lib/classes/plugin_backuplist.inc.php
index ac0396b..78c27fb 100644
--- a/interface/lib/classes/plugin_backuplist.inc.php
+++ b/interface/lib/classes/plugin_backuplist.inc.php
@@ -53,7 +53,18 @@
 				$error = '';
 				
 				if(isset($_GET['backup_action'])) {
-					$backup_id = intval($_GET['backup_id']);
+					$backup_id = $app->functions->intval($_GET['backup_id']);
+					
+					//* check if the user is  owner of the parent domain
+					$domain_backup = $app->db->queryOneRecord("SELECT parent_domain_id FROM web_backup WHERE backup_id = ".$backup_id);
+					
+                    $check_perm = 'u';
+                    if($_GET['backup_action'] == 'download') $check_perm = 'r'; // only check read permissions on download, not update permissions
+                    
+					$get_domain = $app->db->queryOneRecord("SELECT domain_id FROM web_domain WHERE domain_id = ".$app->functions->intval($domain_backup["parent_domain_id"])." AND ".$this->getAuthSQL($check_perm));
+					if(empty($get_domain) || !$get_domain) {
+						$app->error($app->tform->lng('no_domain_perm'));
+					}
 					
 					if($_GET['backup_action'] == 'download' && $backup_id > 0) {
 						$sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_download' AND action_param = '$backup_id'";

--
Gitblit v1.9.1