nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2026-01-08 04:33:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

When deleting the group delete the group user and group permissions. Increase the security by validating the uuid.

Browse Source
This commit is contained in:
Mark Crane
2015-03-05 09:37:37 +00:00
parent 1c4a197b7c
commit 1fbb5febbf
2 changed files with 83 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
core/users/groupdelete.php
View File

@@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2014
Portions created by the Initial Developer are Copyright (C) 2008-2015
the Initial Developer. All Rights Reserved.
Contributor(s):
@@ -37,18 +37,50 @@ require_once "resources/require.php";
}
//get the http value and set as a variable
$id = check_str($_GET["id"]);
$group_uuid = check_str($_GET["id"]);
//delete the group
$sql = "delete from v_groups ";
$sql .= "where group_uuid = '$id' ";
if (!$db->exec($sql)) {
//echo $db->errorCode() . "<br>";
$info = $db->errorInfo();
print_r($info);
// $info[0] == $db->errorCode() unified error code
// $info[1] is the driver specific error code
// $info[2] is the driver specific error string
//validate the uuid
if (is_uuid($group_uuid)) {
//get the group from v_groups
$sql = "select * from v_groups ";
$sql .= "where group_uuid = '".$group_uuid."' ";
$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
foreach ($result as &$row) {
$group_name = $row["group_name"];
}
unset ($prep_statement);
//delete the group users
$sql = "delete from v_group_users ";
$sql .= "where group_uuid = '".$group_uuid."' ";
$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
if (!$db->exec($sql)) {
$error = $db->errorInfo();
print_r($error);
}
//delete the group permissions
if (strlen($group_name) > 0) {
$sql = "delete from v_group_permissions ";
$sql .= "where group_name = '".$group_name."' ";
$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
if (!$db->exec($sql)) {
$error = $db->errorInfo();
print_r($error);
}
}
//delete the group
$sql = "delete from v_groups ";
$sql .= "where group_uuid = '".$group_uuid."' ";
$sql .= "and (domain_uuid = '".$_SESSION['domain_uuid']."' or domain_uuid is null) ";
if (!$db->exec($sql)) {
$error = $db->errorInfo();
print_r($error);
}
}
//redirect the user