Secure deletion, roles

Discussion in 'General' started by mrtnzlml, Feb 24, 2013.

  1. mrtnzlml

    mrtnzlml New Member

    I have handle for URL handleDeleteFTP($ftp_user_id). This function call sites_ftp_user_delete from ISPConfig. But there is problem with security, because one of GET parameters is ftp_user_id and everyone (if they are logged) can change this id and send it. How can I check owner of this record which want to delete? ISPConfig remote API is still little bit magic for me...

    Second problem. I use this function for login:
    $result = $this->client->client_get($this->session_id, array('username' => $username));
    Everything is OK, but I need to know roles of users. $result contains no information for identify users by role. I need to know if user is in role admin or not...

    Thanks for some clue.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The API has admin permissions,so it is intended that the api can delete FTP users independant of the owner. If you want to know the owner of a record, fetch it with the get function, the permissions are stored in the sys_ fields.

    The records you get with that function are clients and not admins, so none of this records is a admin. If you want to know if one of the clients is a reseller, the check the parent_client_id field, if it is > 0, then this client is a reseller.

Share This Page