correct Admins.update and Admins.delete

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
2018-02-25 20:47:36 +01:00
parent c65d95c1ef
commit 5c330505ea
1 changed files with 297 additions and 279 deletions
--- a/lib/classes/api/commands/class.Admins.php
+++ b/lib/classes/api/commands/class.Admins.php
@@ -124,7 +124,7 @@ class Admins extends ApiCommand implements ResourceEntity
 			$tickets_see_all = $this->getParam('tickets_see_all', true, 0);
 			$caneditphpsettings = $this->getParam('caneditphpsettings', true, 0);
 			$change_serversettings = $this->getParam('change_serversettings', true, 0);
-			$ipaddress = intval_ressource($this->getParam('ipaddress', true, -1));
+			$ipaddress = intval_ressource($this->getParam('ipaddress', true, - 1));
 			
 			// validation
 			$name = validate($name, 'name', '', '', array(), true);
@@ -156,14 +156,18 @@ class Admins extends ApiCommand implements ResourceEntity
 			$loginname_check_stmt = Database::prepare("
 				SELECT `loginname` FROM `" . TABLE_PANEL_CUSTOMERS . "` WHERE `loginname` = :login
 			");
-			$loginname_check = Database::pexecute_first($loginname_check_stmt, array('login' => $loginname), true, true);
+			$loginname_check = Database::pexecute_first($loginname_check_stmt, array(
+				'login' => $loginname
+			), true, true);
 			
 			// Check if an admin with the loginname already exists
 			// do not check via api as we skip any permission checks for this task
 			$loginname_check_admin_stmt = Database::prepare("
 				SELECT `loginname` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `loginname` = :login
 			");
-			$loginname_check_admin = Database::pexecute_first($loginname_check_admin_stmt, array('login' => $loginname), true, true);
+			$loginname_check_admin = Database::pexecute_first($loginname_check_admin_stmt, array(
+				'login' => $loginname
+			), true, true);
 			
 			if ($loginname == '') {
 				standard_error(array(
@@ -306,7 +310,7 @@ class Admins extends ApiCommand implements ResourceEntity
 	 */
 	public function update()
 	{
-		if ($this->isAdmin() && $this->getUserDetail('change_serversettings') == 1) {
+		if ($this->isAdmin()) {
 			
 			$id = $this->getParam('id', true, 0);
 			$ln_optional = ($id <= 0 ? false : true);
@@ -319,6 +323,7 @@ class Admins extends ApiCommand implements ResourceEntity
 			$result = json_decode($json_result, true)['data'];
 			$id = $result['adminid'];
 			
+			if ($this->getUserDetail('change_serversettings') == 1 || $result['adminid'] == $this->getUserDetail('adminid')) {
 				// parameters
 				$name = $this->getParam('name', true, $result['name']);
 				$idna_convert = new idna_convert_wrapper();
@@ -330,7 +335,7 @@ class Admins extends ApiCommand implements ResourceEntity
 				$theme = $this->getParam('theme', true, $result['theme']);
 				
 				// you cannot edit some of the details of yourself
-			if ($result['adminid'] == $this->getUserDetail('userid')) {
+				if ($result['adminid'] == $this->getUserDetail('adminid')) {
 					$deactivated = $result['deactivated'];
 					$customers = $result['customers'];
 					$domains = $result['domains'];
@@ -447,41 +452,41 @@ class Admins extends ApiCommand implements ResourceEntity
 					// check if a resource was set to something lower
 					// than actually used by the admin/reseller
 					$res_warning = "";
-				if ($customers != $result['customers'] && $customers != -1 && $customers < $result['customers_used']) {
+					if ($customers != $result['customers'] && $customers != - 1 && $customers < $result['customers_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'customers');
 					}
-				if ($domains != $result['domains'] && $domains != -1 && $domains < $result['domains_used']) {
+					if ($domains != $result['domains'] && $domains != - 1 && $domains < $result['domains_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'domains');
 					}
-				if ($diskspace != $result['diskspace'] && ($diskspace / 1024) != -1 && $diskspace < $result['diskspace_used']) {
+					if ($diskspace != $result['diskspace'] && ($diskspace / 1024) != - 1 && $diskspace < $result['diskspace_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'diskspace');
 					}
-				if ($traffic != $result['traffic'] && ($traffic / 1024 / 1024) != -1 && $traffic < $result['traffic_used']) {
+					if ($traffic != $result['traffic'] && ($traffic / 1024 / 1024) != - 1 && $traffic < $result['traffic_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'traffic');
 					}
-				if ($emails != $result['emails'] && $emails != -1 && $emails < $result['emails_used']) {
+					if ($emails != $result['emails'] && $emails != - 1 && $emails < $result['emails_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'emails');
 					}
-				if ($email_accounts != $result['email_accounts'] && $email_accounts != -1 && $email_accounts < $result['email_accounts_used']) {
+					if ($email_accounts != $result['email_accounts'] && $email_accounts != - 1 && $email_accounts < $result['email_accounts_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'email accounts');
 					}
-				if ($email_forwarders != $result['email_forwarders'] && $email_forwarders != -1 && $email_forwarders < $result['email_forwarders_used']) {
+					if ($email_forwarders != $result['email_forwarders'] && $email_forwarders != - 1 && $email_forwarders < $result['email_forwarders_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'email forwarders');
 					}
-				if ($email_quota != $result['email_quota'] && $email_quota != -1 && $email_quota < $result['email_quota_used']) {
+					if ($email_quota != $result['email_quota'] && $email_quota != - 1 && $email_quota < $result['email_quota_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'email quota');
 					}
-				if ($ftps != $result['ftps'] && $ftps != -1 && $ftps < $result['ftps_used']) {
+					if ($ftps != $result['ftps'] && $ftps != - 1 && $ftps < $result['ftps_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'ftps');
 					}
-				if ($tickets != $result['tickets'] && $tickets != -1 && $tickets < $result['tickets_used']) {
+					if ($tickets != $result['tickets'] && $tickets != - 1 && $tickets < $result['tickets_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'tickets');
 					}
-				if ($mysqls != $result['mysqls'] && $mysqls != -1 && $mysqls < $result['mysqls_used']) {
+					if ($mysqls != $result['mysqls'] && $mysqls != - 1 && $mysqls < $result['mysqls_used']) {
 						$res_warning .= sprintf($this->lng['error']['setlessthanalreadyused'], 'mysqls');
 					}
 					
-				if (!empty($res_warning)) {
+					if (! empty($res_warning)) {
 						throw new Exception($res_warning, 406);
 					}
 					
@@ -556,6 +561,7 @@ class Admins extends ApiCommand implements ResourceEntity
 					return $this->response(200, "successfull", $result);
 				}
 			}
+		}
 		throw new Exception("Not allowed to execute given command.", 403);
 	}

@@ -586,36 +592,48 @@ class Admins extends ApiCommand implements ResourceEntity
 			$id = $result['adminid'];
 			
 			// don't be stupid
-			if ($id == $this->getUserDetail('userid')) {
+			if ($id == $this->getUserDetail('adminid')) {
 				standard_error('youcantdeleteyourself', '', true);
 			}
 			
 			$del_stmt = Database::prepare("
 				DELETE FROM `" . TABLE_PANEL_ADMINS . "` WHERE `adminid` = :adminid
 			");
-			Database::pexecute($del_stmt, array('adminid' => $id), true, true);
+			Database::pexecute($del_stmt, array(
+				'adminid' => $id
+			), true, true);
 			
 			$del_stmt = Database::prepare("
 				DELETE FROM `" . TABLE_PANEL_TRAFFIC_ADMINS . "` WHERE `adminid` = :adminid
 			");
-			Database::pexecute($del_stmt, array('adminid' => $id), true, true);
+			Database::pexecute($del_stmt, array(
+				'adminid' => $id
+			), true, true);
 			
 			$del_stmt = Database::prepare("
 				DELETE FROM `" . TABLE_PANEL_DISKSPACE_ADMINS . "` WHERE `adminid` = :adminid
 			");
-			Database::pexecute($del_stmt, array('adminid' => $id), true, true);
+			Database::pexecute($del_stmt, array(
+				'adminid' => $id
+			), true, true);
 			
 			$upd_stmt = Database::prepare("
 				UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET
 				`adminid` = :userid WHERE `adminid` = :adminid
 			");
-			Database::pexecute($upd_stmt, array('userid' => $this->getUserDetail('userid'), 'adminid' => $id), true, true);
+			Database::pexecute($upd_stmt, array(
+				'userid' => $this->getUserDetail('adminid'),
+				'adminid' => $id
+			), true, true);
 			
 			$upd_stmt = Database::prepare("
 				UPDATE `" . TABLE_PANEL_DOMAINS . "` SET
 				`adminid` = :userid WHERE `adminid` = :adminid
 			");
-			Database::pexecute($upd_stmt, array('userid' => $this->getUserDetail('userid'), 'adminid' => $id), true, true);
+			Database::pexecute($upd_stmt, array(
+				'userid' => $this->getUserDetail('adminid'),
+				'adminid' => $id
+			), true, true);
 			
 			$this->logger()->logAction(ADM_ACTION, LOG_WARNING, "[API] deleted admin '" . $result['loginname'] . "'");
 			updateCounters();