From 9e7715430bd58eb52e9e175e4ce42e76e99ac6f5 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <michael.kaufmann@aixit.com>
Date: Sat, 23 Jun 2018 09:27:56 +0200
Subject: [PATCH] fix editing api-keys as customer

Signed-off-by: Michael Kaufmann <michael.kaufmann@aixit.com>
---
 api_keys.php                                  | 12 ++++++++++-
 .../updates/froxlor/0.10/update_0.10.inc.php  | 20 ++++++++++---------
 templates/Sparkle/api_keys/keys_key.tpl       |  3 ++-
 templates/Sparkle/assets/js/apikey.js         |  5 +++--
 4 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/api_keys.php b/api_keys.php
index ec536571..5f516905 100644
--- a/api_keys.php
+++ b/api_keys.php
@@ -26,6 +26,7 @@ if (! defined('AREA')) {
 $del_stmt = Database::prepare("DELETE FROM `" . TABLE_API_KEYS . "` WHERE id = :id");
 $success_message = "";
 $id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
+$area = AREA;
 
 // do the delete and then just show a success-message and the apikeys list again
 if ($action == 'delete') {
@@ -85,7 +86,16 @@ if ($action == 'delete') {
 	$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
 	$valid_until = isset($_POST['valid_until']) ? (int)$_POST['valid_until'] : -1;
 
-	// @todo validate allowed_from
+	// validate allowed_from
+	$ip_list = explode(",", $allowed_from);
+	$_check_list = $ip_list;
+	foreach ($_check_list as $idx => $ip) {
+		if (validate_ip2($ip, true, 'invalidip', true, true) == false) {
+			unset ($ip_list[$idx]);
+		}
+	}
+	$ip_list = array_map('inet_pton', $ip_list);
+	$allowed_from = implode(",", array_unique($ip_list));
 
 	if ($valid_until <= 0 || !is_numeric($valid_until)) {
 		$valid_until = -1;
diff --git a/install/updates/froxlor/0.10/update_0.10.inc.php b/install/updates/froxlor/0.10/update_0.10.inc.php
index 2976f24a..57bce60e 100644
--- a/install/updates/froxlor/0.10/update_0.10.inc.php
+++ b/install/updates/froxlor/0.10/update_0.10.inc.php
@@ -23,10 +23,7 @@ if (! defined('_CRON_UPDATE')) {
 
 if (isFroxlorVersion('0.9.39.5')) {
 	showUpdateStep("Updating from 0.9.39.5 to 0.10.0", false);
-	updateToVersion('0.10.0');
-}
-
-if (isFroxlorVersion('0.10.0')) {
+	
 	showUpdateStep("Adding new api keys table");
 	Database::query("DROP TABLE IF EXISTS `api_keys`;");
 	$sql = "CREATE TABLE `api_keys` (
@@ -43,15 +40,15 @@ if (isFroxlorVersion('0.10.0')) {
 	) ENGINE=MyISAM CHARSET=utf8 COLLATE=utf8_general_ci;";
 	Database::query($sql);
 	lastStepStatus(0);
-
+	
 	showUpdateStep("Adding new api settings");
 	Settings::AddNew('api.enabled', 0);
 	lastStepStatus(0);
-
+	
 	showUpdateStep("Adding new default-ssl-ip setting");
 	Settings::AddNew('system.defaultsslip', '');
 	lastStepStatus(0);
-
+	
 	showUpdateStep("Altering admin ip's field to allow multiple ip addresses");
 	// get all admins for updating the new field
 	$sel_stmt = Database::prepare("SELECT adminid, ip FROM `panel_admins`");
@@ -60,9 +57,14 @@ if (isFroxlorVersion('0.10.0')) {
 	Database::query("ALTER TABLE `panel_admins` MODIFY `ip` varchar(500) NOT NULL default '-1';");
 	$upd_stmt = Database::prepare("UPDATE `panel_admins` SET `ip` = :ip WHERE `adminid` = :adminid");
 	foreach ($all_admins as $adm) {
-		if ($admin['ip'] != '-1') {
-			Database::pexecute($upd_stmt, array('ip' => json_encode($adm['ip']), 'adminid' => $adm['adminid']));
+		if ($adm['ip'] != '-1') {
+			Database::pexecute($upd_stmt, array(
+				'ip' => json_encode($adm['ip']),
+				'adminid' => $adm['adminid']
+			));
 		}
 	}
 	lastStepStatus(0);
+	
+	updateToVersion('0.10.0');
 }
diff --git a/templates/Sparkle/api_keys/keys_key.tpl b/templates/Sparkle/api_keys/keys_key.tpl
index 6dafd953..c2854a69 100644
--- a/templates/Sparkle/api_keys/keys_key.tpl
+++ b/templates/Sparkle/api_keys/keys_key.tpl
@@ -23,6 +23,7 @@
 		<div id="dialog-{$row['id']}" title="API-key / Secret" class="hidden api-dialog">
 			<form action="{$linker->getLink(array('section' => 'apikeys'))}" method="post" enctype="application/x-www-form-urlencoded">
 			<input type="hidden" name="id" value="{$row['id']}"/>
+			<input type="hidden" name="area" value="{$area}"/>
 			<table class="full hl">
 				<tr>
 					<th>API-key</th><td><input type="text" value="{$row['apikey']}" readonly/></td>
@@ -40,4 +41,4 @@
 			</form>
 		</div>
 	</td>
-</tr>
\ No newline at end of file
+</tr>
diff --git a/templates/Sparkle/assets/js/apikey.js b/templates/Sparkle/assets/js/apikey.js
index f2844b88..ff5255ef 100644
--- a/templates/Sparkle/assets/js/apikey.js
+++ b/templates/Sparkle/assets/js/apikey.js
@@ -22,6 +22,7 @@ $(document).ready(function() {
 		var sid = getUrlParameter('s');
 		var page = getUrlParameter('page');
 		
+		var area = $('#dialog-' + id + ' input[name="area"]').val();
 		var apikey_id = $('#dialog-' + id + ' input[name="id"]').val();
 		var allowed_from = $('#dialog-' + id + ' input[name="allowed_from"]').val();
 		var valid_until = $('#dialog-' + id + ' input[name="valid_until"]').val();
@@ -33,7 +34,7 @@ $(document).ready(function() {
         }
 
 		$.ajax({
-	        url: "admin_index.php?s="+sid+"&page="+page+"&action=jqEditApiKey",
+	        url: area + "_index.php?s="+sid+"&page="+page+"&action=jqEditApiKey",
 	        type: "POST",
 	        data: {
 	        	id: apikey_id, allowed_from: allowed_from, valid_until: s
@@ -41,7 +42,7 @@ $(document).ready(function() {
 	        dataType: "json",
 	        success: function(json) {
 	        	$('#dialog-' + id).dialog("close");
-	        	location.href = "admin_index.php?s="+sid+"&page="+page;
+	        	location.href = area + "_index.php?s="+sid+"&page="+page;
 	        },
 	        error: function(a, b) {
 	            console.log(a, b);