force admin email addresses to be unique and not be used for customers, fixes GHSA-7j6w-p859-464f

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

lib/Froxlor/Api/Commands/Admins.php

@@ -287,6 +287,15 @@ class Admins extends ApiCommand implements ResourceEntity
 				'login' => $loginname
 			], true, true);
 
+			// Check for existing email address
+			// do not check via api as we skip any permission checks for this task
+			$email_check_admin_stmt = Database::prepare("
+				SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email
+			");
+			$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+				'email' => $email
+			], true, true);
+
 			if (($loginname_check && strtolower($loginname_check['loginname']) == strtolower($loginname)) || ($loginname_check_admin && strtolower($loginname_check_admin['loginname']) == strtolower($loginname))) {
 				Response::standardError('loginnameexists', $loginname, true);
 			} elseif (preg_match('/^' . preg_quote(Settings::Get('customer.accountprefix'), '/') . '([0-9]+)/', $loginname)) {
@@ -298,6 +307,8 @@ class Admins extends ApiCommand implements ResourceEntity
 				Response::standardError('loginnameiswrong', $loginname, true);
 			} elseif (!Validate::validateEmail($email)) {
 				Response::standardError('emailiswrong', $email, true);
+			} elseif ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+				Response::standardError('emailexists', $email, true);
 			} else {
 				if ($customers_see_all != '1') {
 					$customers_see_all = '0';
@@ -610,8 +621,20 @@ class Admins extends ApiCommand implements ResourceEntity
 						'admin.email'
 					], '', true);
 				}
+				// Check for existing email address
+				// do not check via api as we skip any permission checks for this task
+				$email_check_admin_stmt = Database::prepare("
+					SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email and `adminid` <> :adminid
+				");
+				$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+					'email' => $email,
+					'adminid' => $id,
+				], true, true);
+
 				if (!Validate::validateEmail($email)) {
 					Response::standardError('emailiswrong', $email, true);
+				} elseif ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+					Response::standardError('emailexists', $email, true);
 				} else {
 					if ($deactivated != '1') {
 						$deactivated = '0';

lib/Froxlor/Api/Commands/Customers.php

@@ -505,6 +505,15 @@ class Customers extends ApiCommand implements ResourceEntity
 						'login' => $loginname
 					], true, true);
 
+					// Check for existing email address
+					// do not check via api as we skip any permission checks for this task
+					$email_check_admin_stmt = Database::prepare("
+						SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email
+					");
+					$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+						'email' => $email
+					], true, true);
+
 					$mysql_maxlen = Database::getSqlUsernameLength() - strlen(Settings::Get('customer.mysqlprefix'));
 					if (($loginname_check && strtolower($loginname_check['loginname']) == strtolower($loginname)) || ($loginname_check_admin && strtolower($loginname_check_admin['loginname']) == strtolower($loginname))) {
 						Response::standardError('loginnameexists', $loginname, true);
@@ -514,6 +523,8 @@ class Customers extends ApiCommand implements ResourceEntity
 						} else {
 							Response::standardError('loginnameiswrong', $loginname, true);
 						}
+					} elseif ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+						Response::standardError('emailexistsanon', $email, true);
 					}
 
 					$guid = intval(Settings::Get('system.lastguid')) + 1;
@@ -1243,6 +1254,18 @@ class Customers extends ApiCommand implements ResourceEntity
 				], '', true);
 			} elseif (!Validate::validateEmail($email)) {
 				Response::standardError('emailiswrong', $email, true);
+			} else {
+				// Check for existing email address
+				// do not check via api as we skip any permission checks for this task
+				$email_check_admin_stmt = Database::prepare("
+						SELECT `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `email` = :email
+					");
+				$email_check_admin = Database::pexecute_first($email_check_admin_stmt, [
+					'email' => $email
+				], true, true);
+				if ($email_check_admin && strtolower($email_check_admin['email']) == strtolower($email)) {
+					Response::standardError('emailexistsanon', $email, true);
+				}
 			}
 		}