From 1fbb5febbf476266ef8e254d10ea6ea4dd196453 Mon Sep 17 00:00:00 2001
From: Mark Crane <markjcrane@gmail.com>
Date: Thu, 5 Mar 2015 09:37:37 +0000
Subject: [PATCH] When deleting the group delete the group user and group
 permissions. Increase the security by validating the uuid.

---
 core/users/groupdelete.php | 56 ++++++++++++++++++++------
 core/users/userdelete.php  | 81 ++++++++++++++++++--------------------
 2 files changed, 83 insertions(+), 54 deletions(-)

diff --git a/core/users/groupdelete.php b/core/users/groupdelete.php
index 3497eeea37..d8caab10fa 100644
--- a/core/users/groupdelete.php
+++ b/core/users/groupdelete.php
@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008-2014
+	Portions created by the Initial Developer are Copyright (C) 2008-2015
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -37,18 +37,50 @@ require_once "resources/require.php";
 	}
 
 //get the http value and set as a variable
-	$id = check_str($_GET["id"]);
+	$group_uuid = check_str($_GET["id"]);
 
-//delete the group
-	$sql = "delete from v_groups ";
-	$sql .= "where group_uuid = '$id' ";
-	if (!$db->exec($sql)) {
-		//echo $db->errorCode() . "<br>";
-		$info = $db->errorInfo();
-		print_r($info);
-		// $info[0] == $db->errorCode() unified error code
-		// $info[1] is the driver specific error code
-		// $info[2] is the driver specific error string
+//validate the uuid
+	if (is_uuid($group_uuid)) {
+		//get the group from v_groups
+			$sql = "select * from v_groups ";
+			$sql .= "where group_uuid = '".$group_uuid."' ";
+			$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
+			$prep_statement = $db->prepare(check_sql($sql));
+			$prep_statement->execute();
+			$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+			foreach ($result as &$row) {
+				$group_name = $row["group_name"];
+			}
+			unset ($prep_statement);
+
+		//delete the group users
+			$sql = "delete from v_group_users ";
+			$sql .= "where group_uuid = '".$group_uuid."' ";
+			$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
+			if (!$db->exec($sql)) {
+				$error = $db->errorInfo();
+				print_r($error);
+			}
+
+		//delete the group permissions
+			if (strlen($group_name) > 0) {
+				$sql = "delete from v_group_permissions ";
+				$sql .= "where group_name = '".$group_name."' ";
+				$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
+				if (!$db->exec($sql)) {
+					$error = $db->errorInfo();
+					print_r($error);
+				}
+			}
+
+		//delete the group
+			$sql = "delete from v_groups ";
+			$sql .= "where group_uuid = '".$group_uuid."' ";
+			$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
+			if (!$db->exec($sql)) {
+				$error = $db->errorInfo();
+				print_r($error);
+			}
 	}
 
 //redirect the user
diff --git a/core/users/userdelete.php b/core/users/userdelete.php
index ff7e48c3a4..2ae0926f76 100644
--- a/core/users/userdelete.php
+++ b/core/users/userdelete.php
@@ -17,7 +17,7 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2015
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
@@ -41,50 +41,47 @@ else {
 //get the id
 	$user_uuid = check_str($_GET["id"]);
 
-//get the username from v_users
-	$sql = "select * from v_users ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
-	$sql .= "and user_uuid = '$user_uuid' ";
-	$sql .= "and user_enabled = 'true' ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	foreach ($result as &$row) {
-		$username = $row["username"];
-		break; //limit to 1 row
-	}
-	unset ($prep_statement);
+//validate the uuid
+	if (is_uuid($user_uuid)) {
+		//get the username from v_users
+			$sql = "select * from v_users ";
+			$sql .= "where user_uuid = '$user_uuid' ";
+			$sql .= "and domain_uuid = '$domain_uuid' ";
+			$prep_statement = $db->prepare(check_sql($sql));
+			$prep_statement->execute();
+			$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+			foreach ($result as &$row) {
+				$username = $row["username"];
+			}
+			unset ($prep_statement);
 
-//required to be a superadmin to delete a member of the superadmin group
-	$superadmin_list = superadmin_list($db);
-	if (if_superadmin($superadmin_list, $user_uuid)) {
-		if (!if_group("superadmin")) {
-			//access denied - do not delete the user
-			header("Location: index.php");
-			return;
-		}
-	}
+		//required to be a superadmin to delete a member of the superadmin group
+			$superadmin_list = superadmin_list($db);
+			if (if_superadmin($superadmin_list, $user_uuid)) {
+				if (!if_group("superadmin")) {
+					//access denied - do not delete the user
+					header("Location: index.php");
+					return;
+				}
+			}
 
-//delete the user
-	$sql_delete = "delete from v_users ";
-	$sql_delete .= "where domain_uuid = '$domain_uuid' ";
-	$sql_delete .= "and user_uuid = '$user_uuid' ";
-	if (!$db->exec($sql_delete)) {
-		//echo $db->errorCode() . "<br>";
-		$info = $db->errorInfo();
-		print_r($info);
-		// $info[0] == $db->errorCode() unified error code
-		// $info[1] is the driver specific error code
-		// $info[2] is the driver specific error string
-	}
+		//delete the groups the user is assigned to
+			$sql = "delete from v_group_users ";
+			$sql .= "where user_uuid = '$user_uuid' ";
+			$sql .= "and domain_uuid = '$domain_uuid' ";
+			if (!$db->exec($sql)) {
+				$info = $db->errorInfo();
+				print_r($info);
+			}
 
-//delete the groups the user is assigned to
-	$sql_delete = "delete from v_group_users ";
-	$sql_delete .= "where domain_uuid = '$domain_uuid' ";
-	$sql_delete .= "and user_uuid = '$user_uuid' ";
-	if (!$db->exec($sql_delete)) {
-		$info = $db->errorInfo();
-		print_r($info);
+		//delete the user
+			$sql = "delete from v_users ";
+			$sql .= "where user_uuid = '$user_uuid' ";
+			$sql .= "and domain_uuid = '$domain_uuid' ";
+			if (!$db->exec($sql)) {
+				$info = $db->errorInfo();
+				print_r($info);
+			}
 	}
 
 //redirect the user