Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th February 2013, 15:34
mrtnzlml mrtnzlml is offline
Junior Member
 
Join Date: Feb 2013
Location: Czech Republic
Posts: 12
Thanks: 1
Thanked 3 Times in 3 Posts
Default Secure deletion, roles

Hi!
I have handle for URL handleDeleteFTP($ftp_user_id). This function call sites_ftp_user_delete from ISPConfig. But there is problem with security, because one of GET parameters is ftp_user_id and everyone (if they are logged) can change this id and send it. How can I check owner of this record which want to delete? ISPConfig remote API is still little bit magic for me...

Second problem. I use this function for login:
$result = $this->client->client_get($this->session_id, array('username' => $username));
Everything is OK, but I need to know roles of users. $result contains no information for identify users by role. I need to know if user is in role admin or not...

Thanks for some clue.
Reply With Quote
Sponsored Links
  #2  
Old 26th February 2013, 08:53
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,665
Thanks: 819
Thanked 5,316 Times in 4,169 Posts
 
Default

Quote:
I have handle for URL handleDeleteFTP($ftp_user_id). This function call sites_ftp_user_delete from ISPConfig. But there is problem with security, because one of GET parameters is ftp_user_id and everyone (if they are logged) can change this id and send it. How can I check owner of this record which want to delete? ISPConfig remote API is still little bit magic for me...
The API has admin permissions,so it is intended that the api can delete FTP users independant of the owner. If you want to know the owner of a record, fetch it with the get function, the permissions are stored in the sys_ fields.

Quote:
Second problem. I use this function for login:
$result = $this->client->client_get($this->session_id, array('username' => $username));
Everything is OK, but I need to know roles of users. $result contains no information for identify users by role. I need to know if user is in role admin or not...
The records you get with that function are clients and not admins, so none of this records is a admin. If you want to know if one of the clients is a reseller, the check the parent_client_id field, if it is > 0, then this client is a reseller.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to force postfix to use secure smtp? concept21 Installation/Configuration 3 31st July 2012 10:14
Secure Site Won't Load After Installing SSL BigBuddy General 2 9th May 2012 20:46
Does anyone know which is more secure Microsoft Distributed File System or NTFS renegadeviking Server Operation 0 11th June 2009 04:54
Secure proftp by using tls tom Tips/Tricks/Mods 3 6th August 2008 14:09
Secure SMTP not working? binjured HOWTO-Related Questions 5 17th June 2006 12:20


All times are GMT +2. The time now is 09:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.