From 2f30d85d325486cb04825c56ee94af6c63e6db37 Mon Sep 17 00:00:00 2001
From: "Michael Kaufmann (d00p)" <d00p@froxlor.org>
Date: Sat, 24 Feb 2018 20:52:21 +0100
Subject: [PATCH] minor changes in ApiCommand; added Ftps.get ApiCommand

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
---
 api.php                                 |  2 +-
 customer_ftp.php                        | 28 ++++---
 lib/classes/api/abstract.ApiCommand.php |  9 ++-
 lib/classes/api/commands/class.Ftps.php | 98 +++++++++++++++++++++++++
 4 files changed, 121 insertions(+), 16 deletions(-)
 create mode 100644 lib/classes/api/commands/class.Ftps.php

diff --git a/api.php b/api.php
index a5dd6fe3..6dc25ff3 100644
--- a/api.php
+++ b/api.php
@@ -56,7 +56,7 @@ function json_response($status, $status_message = '', $data = null)
 {
 	$resheader = $_SERVER["SERVER_PROTOCOL"] . " " . $status;
 	if (! empty($status_message)) {
-		$resheader .= ' ' . $status_message;
+		$resheader .= ' ' . str_replace("\n", " ", $status_message);
 	}
 	header($resheader);
 	
diff --git a/customer_ftp.php b/customer_ftp.php
index 46cd71f4..e40886d5 100644
--- a/customer_ftp.php
+++ b/customer_ftp.php
@@ -79,12 +79,14 @@ if ($page == 'overview') {
 
 		eval("echo \"" . getTemplate('ftp/accounts') . "\";");
 	} elseif ($action == 'delete' && $id != 0) {
-		$result_stmt = Database::prepare("SELECT `id`, `username`, `homedir`, `up_count`, `up_bytes`, `down_count`, `down_bytes` FROM `" . TABLE_FTP_USERS . "`
-			WHERE `customerid` = :customerid
-			AND `id` = :id"
-		);
-		Database::pexecute($result_stmt, array("customerid" => $userinfo['customerid'], "id" => $id));
-		$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
+		try {
+			$json_result = Ftps::getLocal($userinfo, array(
+				'id' => $id
+			))->get();
+		} catch (Exception $e) {
+			dynamic_error($e->getMessage());
+		}
+		$result = json_decode($json_result, true)['data'];
 
 		if (isset($result['username']) && $result['username'] != $userinfo['loginname']) {
 			if (isset($_POST['send']) && $_POST['send'] == 'send') {
@@ -369,12 +371,14 @@ if ($page == 'overview') {
 			}
 		}
 	} elseif ($action == 'edit' && $id != 0) {
-		$result_stmt = Database::prepare("SELECT `id`, `username`, `description`, `homedir`, `uid`, `gid`, `shell` FROM `" . TABLE_FTP_USERS . "`
-			WHERE `customerid` = :customerid
-			AND `id` = :id"
-		);
-		Database::pexecute($result_stmt, array("customerid" => $userinfo['customerid'], "id" => $id));
-		$result = $result_stmt->fetch(PDO::FETCH_ASSOC);
+		try {
+			$json_result = Ftps::getLocal($userinfo, array(
+				'id' => $id
+			))->get();
+		} catch (Exception $e) {
+			dynamic_error($e->getMessage());
+		}
+		$result = json_decode($json_result, true)['data'];
 
 		if (isset($result['username']) && $result['username'] != '') {
 			if (isset($_POST['send']) && $_POST['send'] == 'send') {
diff --git a/lib/classes/api/abstract.ApiCommand.php b/lib/classes/api/abstract.ApiCommand.php
index ee8f1a90..8ce98e8d 100644
--- a/lib/classes/api/abstract.ApiCommand.php
+++ b/lib/classes/api/abstract.ApiCommand.php
@@ -402,7 +402,7 @@ abstract class ApiCommand
 	{
 		$resheader = $_SERVER["SERVER_PROTOCOL"] . " " . $status;
 		if (! empty($status_message)) {
-			$resheader .= ' ' . $status_message;
+			$resheader .= ' ' . str_replace("\n", " ", $status_message);
 		}
 		header($resheader);
 		
@@ -432,14 +432,17 @@ abstract class ApiCommand
 		), true, true);
 		if ($result) {
 			// admin or customer?
-			if ($result['customerid'] == 0) {
+			if ($result['customerid'] == 0 && $result['adminid'] > 0) {
 				$this->is_admin = true;
 				$table = 'panel_admins';
 				$key = "adminid";
-			} else {
+			} elseif ($result['customerid'] > 0 && $result['adminid'] > 0) {
 				$this->is_admin = false;
 				$table = 'panel_customers';
 				$key = "customerid";
+			} else {
+				// neither adminid is > 0 nor customerid is > 0 - sorry man, no way
+				throw new Exception("Invalid API credentials", 400);
 			}
 			$sel_stmt = Database::prepare("SELECT * FROM `" . $table . "` WHERE `" . $key . "` = :id");
 			$this->user_data = Database::pexecute_first($sel_stmt, array(
diff --git a/lib/classes/api/commands/class.Ftps.php b/lib/classes/api/commands/class.Ftps.php
new file mode 100644
index 00000000..6b27c3fb
--- /dev/null
+++ b/lib/classes/api/commands/class.Ftps.php
@@ -0,0 +1,98 @@
+<?php
+
+/**
+ * This file is part of the Froxlor project.
+ * Copyright (c) 2010 the Froxlor Team (see authors).
+ *
+ * For the full copyright and license information, please view the COPYING
+ * file that was distributed with this source code. You can also view the
+ * COPYING file online at http://files.froxlor.org/misc/COPYING.txt
+ *
+ * @copyright  (c) the authors
+ * @author     Froxlor team <team@froxlor.org> (2010-)
+ * @license    GPLv2 http://files.froxlor.org/misc/COPYING.txt
+ * @package    API
+ * @since      0.10.0
+ *
+ */
+class Ftps extends ApiCommand implements ResourceEntity
+{
+
+	public function add()
+	{}
+
+	/**
+	 * return a ftp-user entry by either id or username
+	 *
+	 * @param int $id
+	 *        	optional, the customer-id
+	 * @param string $username
+	 *        	optional, the username
+	 *        	
+	 * @access admin, customer
+	 * @throws Exception
+	 * @return array
+	 */
+	public function get()
+	{
+		$id = $this->getParam('id', true, 0);
+		$un_optional = ($id <= 0 ? false : true);
+		$username = $this->getParam('username', $un_optional, '');
+		
+		if ($id <= 0 && empty($username)) {
+			throw new Exception("Either 'id' or 'username' parameter must be given", 406);
+		}
+		
+		$params = array();
+		if ($this->isAdmin()) {
+			if ($this->getUserDetail('customers_see_all') != 1) {
+				// if it's a reseller or an admin who cannot see all customers, we need to check
+				// whether the database belongs to one of his customers
+				$json_result = Customers::getLocal($this->getUserData())->list();
+				$custom_list_result = json_decode($json_result, true)['data']['list'];
+				$customer_ids = array();
+				foreach ($custom_list_result as $customer) {
+					$customer_ids[] = $customer['customerid'];
+				}
+				$result_stmt = Database::prepare("
+					SELECT * FROM `" . TABLE_FTP_USERS . "`
+					WHERE `customerid` IN (:customerid)
+					AND (`id` = :idun OR `username` = :idun)
+				");
+				$params['customerid'] = implode(", ", $customer_ids);
+			} else {
+				$result_stmt = Database::prepare("
+					SELECT * FROM `" . TABLE_FTP_USERS . "`
+					WHERE (`id` = :idun OR `username` = :idun)
+				");
+			}
+		} else {
+			if (Settings::IsInList('panel.customer_hide_options', 'ftp')) {
+				throw new Exception("You cannot access this resource", 405);
+			}
+			$result_stmt = Database::prepare("
+				SELECT * FROM `" . TABLE_FTP_USERS . "`
+				WHERE `customerid` = :customerid
+				AND (`id` = :idun OR `username` = :idun)
+			");
+			$params['customerid'] = $this->getUserDetail('customerid');
+		}
+		$params['idun'] = ($id <= 0 ? $username : $id);
+		$result = Database::pexecute_first($result_stmt, $params, true, true);
+		if ($result) {
+			$this->logger()->logAction($this->isAdmin() ? ADM_ACTION : USR_ACTION, LOG_NOTICE, "[API] get ftp-user '" . $result['username'] . "'");
+			return $this->response(200, "successfull", $result);
+		}
+		$key = ($id > 0 ? "id #" . $id : "username '" . $username . "'");
+		throw new Exception("FTP user with " . $key . " could not be found", 404);
+	}
+
+	public function update()
+	{}
+
+	public function list()
+	{}
+
+	public function delete()
+	{}
+}