From ec09b18c9c44f85ceb6d9e7588a03a221cd1193f Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Fri, 12 Dec 2008 05:47:05 -0500
Subject: [PATCH] Disallow server changes for existing records in mail_domain_edit.php

---
 interface/web/client/client_edit.php |   23 ++++++++++-------------
 1 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/interface/web/client/client_edit.php b/interface/web/client/client_edit.php
index 4852047..23e445f 100644
--- a/interface/web/client/client_edit.php
+++ b/interface/web/client/client_edit.php
@@ -41,11 +41,8 @@
 require_once('../../lib/config.inc.php');
 require_once('../../lib/app.inc.php');
 
-// Checking module permissions
-if(!stristr($_SESSION["s"]["user"]["modules"],$_SESSION["s"]["module"]["name"])) {
-	header("Location: ../index.php");
-	exit;
-}
+//* Check permissions for module
+$app->auth->check_module_permissions('client');
 
 // Loading classes
 $app->uses('tpl,tform,tform_actions');
@@ -60,20 +57,20 @@
 	function onAfterInsert() {
 		global $app;
 		// Create the group for the client
-		$sql = "INSERT INTO sys_group (name,description,client_id) VALUES ('".addslashes($this->dataRecord["username"])."','',".$this->id.")";
+		$sql = "INSERT INTO sys_group (name,description,client_id) VALUES ('".mysql_real_escape_string($this->dataRecord["username"])."','',".$this->id.")";
 		$app->db->query($sql);
 		$groupid = $app->db->insertID();
 		$groups = $groupid;
 		
-		$username = addslashes($this->dataRecord["username"]);
-		$password = addslashes($this->dataRecord["password"]);
+		$username = mysql_real_escape_string($this->dataRecord["username"]);
+		$password = mysql_real_escape_string($this->dataRecord["password"]);
 		$modules = ISPC_INTERFACE_MODULES_ENABLED;
 		if($this->dataRecord["limit_client"] > 0) $modules .= ',client';
 		$startmodule = 'mail';
-		$usertheme = addslashes($this->dataRecord["usertheme"]);
+		$usertheme = mysql_real_escape_string($this->dataRecord["usertheme"]);
 		$type = 'user';
 		$active = 1;
-		$language = addslashes($this->dataRecord["language"]);
+		$language = mysql_real_escape_string($this->dataRecord["language"]);
 		
 		// Create the controlpaneluser for the client
 		$sql = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id)
@@ -100,7 +97,7 @@
 		
 		// username changed
 		if(isset($app->tform->diffrec['username'])) {
-			$username = addslashes($this->dataRecord["username"]);
+			$username = mysql_real_escape_string($this->dataRecord["username"]);
 			$client_id = $this->id;
 			$sql = "UPDATE sys_user SET username = '$username' WHERE client_id = $client_id";
 			$app->db->query($sql);
@@ -110,7 +107,7 @@
 		
 		// password changed
 		if(isset($this->dataRecord["password"]) && $this->dataRecord["password"] != '') {
-			$password = addslashes($this->dataRecord["password"]);
+			$password = mysql_real_escape_string($this->dataRecord["password"]);
 			$client_id = $this->id;
 			$sql = "UPDATE sys_user SET passwort = md5('$password') WHERE client_id = $client_id";
 			$app->db->query($sql);
@@ -120,7 +117,7 @@
 		if(isset($this->dataRecord["limit_client"])) {
 			$modules = ISPC_INTERFACE_MODULES_ENABLED;
 			if($this->dataRecord["limit_client"] > 0) $modules .= ',client';
-			$modules = addslashes($modules);
+			$modules = mysql_real_escape_string($modules);
 			$client_id = $this->id;
 			$sql = "UPDATE sys_user SET modules = '$modules' WHERE client_id = $client_id";
 			$app->db->query($sql);

--
Gitblit v1.9.1