check for given customer loginname/id before anything happens in Mysqls.add/update/delete when called as admin; fixes #749

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

lib/Froxlor/Api/Commands/Mysqls.php

@@ -34,7 +34,9 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 	 * @param bool $sendinfomail
 	 *        	optional, send created resource-information to customer, default: false
 	 * @param int $customerid
-	 *        	required when called as admin, not needed when called as customer
+	 *        	optional, admin-only, the customer-id
+	 * @param string $loginname
+	 *        	optional, admin-only, the loginname
 	 *        	
 	 * @access admin, customer
 	 * @throws \Exception
@@ -42,8 +44,6 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 	 */
 	public function add()
 	{
-		if ($this->getUserDetail('mysqls_used') < $this->getUserDetail('mysqls') || $this->getUserDetail('mysqls') == '-1') {
-
 		// required paramters
 		$password = $this->getParam('mysql_password');
 
@@ -51,6 +51,8 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		$dbserver = $this->getParam('mysql_server', true, 0);
 		$databasedescription = $this->getParam('description', true, '');
 		$sendinfomail = $this->getBoolParam('sendinfomail', true, 0);
+		// get needed customer info to reduce the mysql-usage-counter by one
+		$customer = $this->getCustomerData('mysqls');
 
 		// validation
 		$password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true);
@@ -71,9 +73,6 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 			$sendinfomail = 0;
 		}
 
-			// get needed customer info to reduce the mysql-usage-counter by one
-			$customer = $this->getCustomerData('mysqls');
-
 		$newdb_params = array(
 			'loginname' => ($this->isAdmin() ? $customer['loginname'] : $this->getUserDetail('loginname')),
 			'mysql_lastaccountnumber' => ($this->isAdmin() ? $customer['mysql_lastaccountnumber'] : $this->getUserDetail('mysql_lastaccountnumber'))
@@ -168,8 +167,6 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		));
 		return $this->response(200, "successfull", $result);
 	}
-		throw new \Exception("No more resources available", 406);
-	}
 
 	/**
 	 * return a mysql database entry by either id or dbname
@@ -276,6 +273,10 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 	 *        	optional, update password for the database
 	 * @param string $description
 	 *        	optional, description for database
+	 * @param int $customerid
+	 *        	optional, admin-only, the customer-id
+	 * @param string $loginname
+	 *        	optional, admin-only, the loginname
 	 *        	
 	 * @access admin, customer
 	 * @throws \Exception
@@ -287,6 +288,7 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		$dn_optional = ($id <= 0 ? false : true);
 		$dbname = $this->getParam('dbname', $dn_optional, '');
 		$dbserver = $this->getParam('mysql_server', true, - 1);
+		$customer = $this->getCustomerData();
 
 		if ($this->isAdmin() == false && Settings::IsInList('panel.customer_hide_options', 'mysql')) {
 			throw new \Exception("You cannot access this resource", 405);
@@ -307,9 +309,6 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		$password = \Froxlor\Validate\Validate::validate($password, 'password', '', '', array(), true);
 		$databasedescription = \Froxlor\Validate\Validate::validate(trim($databasedescription), 'description', '', '', array(), true);
 
-		// get needed customer info to reduce the mysql-usage-counter by one
-		$customer = $this->getCustomerData();
-
 		if ($password != '') {
 			// validate password
 			$password = \Froxlor\System\Crypt::validatePassword($password, true);
@@ -380,8 +379,7 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		$query_fields = array();
 		$result_stmt = Database::prepare("
 			SELECT * FROM `" . TABLE_PANEL_DATABASES . "`
-			WHERE `customerid`= :customerid AND `dbserver` = :dbserver". $this->getSearchWhere($query_fields, true) . $this->getOrderBy() . $this->getLimit()
-		);
+			WHERE `customerid`= :customerid AND `dbserver` = :dbserver" . $this->getSearchWhere($query_fields, true) . $this->getOrderBy() . $this->getLimit());
 		if ($dbserver < 0) {
 			// use all dbservers
 			$dbservers_stmt = Database::query("SELECT DISTINCT `dbserver` FROM `" . TABLE_PANEL_DATABASES . "`");
@@ -459,6 +457,10 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 	 *        	optional, the databasename
 	 * @param int $mysql_server
 	 *        	optional, specify database-server, default is none
+	 * @param int $customerid
+	 *        	optional, admin-only, the customer-id
+	 * @param string $loginname
+	 *        	optional, admin-only, the loginname
 	 *        	
 	 * @access admin, customer
 	 * @throws \Exception
@@ -470,6 +472,7 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		$dn_optional = ($id <= 0 ? false : true);
 		$dbname = $this->getParam('dbname', $dn_optional, '');
 		$dbserver = $this->getParam('mysql_server', true, - 1);
+		$customer = $this->getCustomerData();
 
 		if ($this->isAdmin() == false && Settings::IsInList('panel.customer_hide_options', 'mysql')) {
 			throw new \Exception("You cannot access this resource", 405);
@@ -496,7 +499,6 @@ class Mysqls extends \Froxlor\Api\ApiCommand implements \Froxlor\Api\ResourceEnt
 		), true, true);
 
 		// get needed customer info to reduce the mysql-usage-counter by one
-		$customer = $this->getCustomerData();
 		$mysql_used = $customer['mysqls_used'];
 
 		// reduce mysql-usage-counter