From f02fc545a587ce3dfd33902b57ec686ebb51d967 Mon Sep 17 00:00:00 2001
From: mcramer <m.cramer@pixcept.de>
Date: Mon, 02 Sep 2013 04:16:39 -0400
Subject: [PATCH] - Fixed: getAuthSQL has to be used with app->tform instead of this here.

---
 interface/lib/classes/plugin_backuplist.inc.php |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/interface/lib/classes/plugin_backuplist.inc.php b/interface/lib/classes/plugin_backuplist.inc.php
index ad567b2..a527f23 100644
--- a/interface/lib/classes/plugin_backuplist.inc.php
+++ b/interface/lib/classes/plugin_backuplist.inc.php
@@ -55,6 +55,17 @@
 				if(isset($_GET['backup_action'])) {
 					$backup_id = $app->functions->intval($_GET['backup_id']);
 					
+					//* check if the user is  owner of the parent domain
+					$domain_backup = $app->db->queryOneRecord("SELECT parent_domain_id FROM web_backup WHERE backup_id = ".$backup_id);
+					
+                    $check_perm = 'u';
+                    if($_GET['backup_action'] == 'download') $check_perm = 'r'; // only check read permissions on download, not update permissions
+                    
+					$get_domain = $app->db->queryOneRecord("SELECT domain_id FROM web_domain WHERE domain_id = ".$app->functions->intval($domain_backup["parent_domain_id"])." AND ".$app->tform->getAuthSQL($check_perm));
+					if(empty($get_domain) || !$get_domain) {
+						$app->error($app->tform->lng('no_domain_perm'));
+					}
+					
 					if($_GET['backup_action'] == 'download' && $backup_id > 0) {
 						$sql = "SELECT count(action_id) as number FROM sys_remoteaction WHERE action_state = 'pending' AND action_type = 'backup_download' AND action_param = '$backup_id'";
 						$tmp = $app->db->queryOneRecord($sql);

--
Gitblit v1.9.1