diff --git a/lib/classes/api/abstract.ApiCommand.php b/lib/classes/api/abstract.ApiCommand.php index 82fd38c8..afdba0c5 100644 --- a/lib/classes/api/abstract.ApiCommand.php +++ b/lib/classes/api/abstract.ApiCommand.php @@ -102,7 +102,7 @@ abstract class ApiCommand public function __construct($header = null, $params = null, $userinfo = null) { global $lng, $version, $dbversion, $branding; - + $this->version = $version; $this->dbversion = $dbversion; $this->branding = $branding; @@ -116,13 +116,13 @@ abstract class ApiCommand throw new Exception("Invalid user data", 500); } $this->logger = FroxlorLogger::getInstanceOf($this->user_data); - + // check whether the user is deactivated if ($this->getUserDetail('deactivated') == 1) { $this->logger()->logAction(LOG_ERROR, LOG_INFO, "[API] User '" . $this->getUserDetail('loginnname') . "' tried to use API but is deactivated"); throw new Exception("Account suspended", 406); } - + $this->initLang(); $this->lng = $lng; $this->initMail(); @@ -166,8 +166,14 @@ abstract class ApiCommand // now include the selected language if its not english if ($language != 'English') { - foreach ($langs[$language] as $key => $value) { - include_once makeSecurePath(FROXLOR_INSTALL_DIR . '/' . $value['file']); + if (isset($langs[$language])) { + foreach ($langs[$language] as $key => $value) { + include_once makeSecurePath(FROXLOR_INSTALL_DIR . '/' . $value['file']); + } + } else { + if ($this->debug) { + $this->logger()->logAction(LOG_ERROR, LOG_DEBUG, "[API] unable to include user-language '" . $language . "'. Not found in database.", 404); + } } } diff --git a/lib/classes/api/commands/class.Admins.php b/lib/classes/api/commands/class.Admins.php index 6c0de7ae..36c1005b 100644 --- a/lib/classes/api/commands/class.Admins.php +++ b/lib/classes/api/commands/class.Admins.php @@ -99,7 +99,7 @@ class Admins extends ApiCommand implements ResourceEntity $email = $this->getParam('email'); // parameters - $def_language = $this->getParam('def_language', true, ''); + $def_language = $this->getParam('def_language', true, Settings::Get('panel.standardlanguage')); $custom_notes = $this->getParam('custom_notes', true, ''); $custom_notes_show = $this->getParam('custom_notes_show', true, 0); $password = $this->getParam('admin_password', true, ''); @@ -152,28 +152,18 @@ class Admins extends ApiCommand implements ResourceEntity $traffic = $traffic * 1024 * 1024; // Check if the account already exists - try { - $dup_check_result = Customers::getLocal($this->getUserData(), array( - 'loginname' => $loginname - ))->get(); - $loginname_check = json_decode($dup_check_result, true)['data']; - } catch (Exception $e) { - $loginname_check = array( - 'loginname' => '' - ); - } + // do not check via api as we skip any permission checks for this task + $loginname_check_stmt = Database::prepare(" + SELECT `loginname` FROM `" . TABLE_PANEL_CUSTOMERS . "` WHERE `loginname` = :login + "); + $loginname_check = Database::pexecute_first($loginname_check_stmt, array('login' => $loginname), true, true); // Check if an admin with the loginname already exists - try { - $dup_check_result = Admins::getLocal($this->getUserData(), array( - 'loginname' => $loginname - ))->get(); - $loginname_check_admin = json_decode($dup_check_result, true)['data']; - } catch (Exception $e) { - $loginname_check_admin = array( - 'loginname' => '' - ); - } + // do not check via api as we skip any permission checks for this task + $loginname_check_admin_stmt = Database::prepare(" + SELECT `loginname` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `loginname` = :login + "); + $loginname_check_admin = Database::pexecute_first($loginname_check_admin_stmt, array('login' => $loginname), true, true); if ($loginname == '') { standard_error(array( @@ -290,7 +280,7 @@ class Admins extends ApiCommand implements ResourceEntity $adminid = Database::lastInsertId(); $ins_data['adminid'] = $adminid; $this->logger()->logAction(ADM_ACTION, LOG_WARNING, "[API] added admin '" . $loginname . "'"); - return $this->response(200, "successfull", $admin_ins_data); + return $this->response(200, "successfull", $ins_data); } } throw new Exception("Not allowed to execute given command.", 403); diff --git a/lib/classes/api/commands/class.Customers.php b/lib/classes/api/commands/class.Customers.php index e827d32a..2b978684 100644 --- a/lib/classes/api/commands/class.Customers.php +++ b/lib/classes/api/commands/class.Customers.php @@ -243,28 +243,18 @@ class Customers extends ApiCommand implements ResourceEntity } // Check if the account already exists - try { - $dup_check_result = Customers::getLocal($this->getUserData(), array( - 'loginname' => $loginname - ))->get(); - $loginname_check = json_decode($dup_check_result, true)['data']; - } catch (Exception $e) { - $loginname_check = array( - 'loginname' => '' - ); - } + // do not check via api as we skip any permission checks for this task + $loginname_check_stmt = Database::prepare(" + SELECT `loginname` FROM `" . TABLE_PANEL_CUSTOMERS . "` WHERE `loginname` = :login + "); + $loginname_check = Database::pexecute_first($loginname_check_stmt, array('login' => $loginname), true, true); // Check if an admin with the loginname already exists - try { - $dup_check_result = Admins::getLocal($this->getUserData(), array( - 'loginname' => $loginname - ))->get(); - $loginname_check_admin = json_decode($dup_check_result, true)['data']; - } catch (Exception $e) { - $loginname_check_admin = array( - 'loginname' => '' - ); - } + // do not check via api as we skip any permission checks for this task + $loginname_check_admin_stmt = Database::prepare(" + SELECT `loginname` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `loginname` = :login + "); + $loginname_check_admin = Database::pexecute_first($loginname_check_admin_stmt, array('login' => $loginname), true, true); if (strtolower($loginname_check['loginname']) == strtolower($loginname) || strtolower($loginname_check_admin['loginname']) == strtolower($loginname)) { standard_error('loginnameexists', $loginname, true);