View Single Post
Old 26th February 2013, 09:53
till till is offline
Super Moderator
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts

I have handle for URL handleDeleteFTP($ftp_user_id). This function call sites_ftp_user_delete from ISPConfig. But there is problem with security, because one of GET parameters is ftp_user_id and everyone (if they are logged) can change this id and send it. How can I check owner of this record which want to delete? ISPConfig remote API is still little bit magic for me...
The API has admin permissions,so it is intended that the api can delete FTP users independant of the owner. If you want to know the owner of a record, fetch it with the get function, the permissions are stored in the sys_ fields.

Second problem. I use this function for login:
$result = $this->client->client_get($this->session_id, array('username' => $username));
Everything is OK, but I need to know roles of users. $result contains no information for identify users by role. I need to know if user is in role admin or not...
The records you get with that function are clients and not admins, so none of this records is a admin. If you want to know if one of the clients is a reseller, the check the parent_client_id field, if it is > 0, then this client is a reseller.
Till Brehm
Get ISPConfig support and the ISPConfig 3 manual from
Reply With Quote