diff --git a/cp/app/Controllers/ContactsController.php b/cp/app/Controllers/ContactsController.php index 3973351..22f9a03 100644 --- a/cp/app/Controllers/ContactsController.php +++ b/cp/app/Controllers/ContactsController.php @@ -906,10 +906,26 @@ class ContactsController extends Controller throw new \RuntimeException('Audit table is empty or not configured'); } - $contact = $db->selectRow('SELECT id, identifier FROM contact WHERE identifier = ?', + $contact = $db->selectRow('SELECT id, identifier, clid FROM contact WHERE identifier = ?', [ $args ]); if ($contact) { + $registrars = $db->selectRow('SELECT id, clid, name FROM registrar WHERE id = ?', [$contact['clid']]); + + // Check if the user is not an admin (assuming role 0 is admin) + if ($_SESSION["auth_roles"] != 0) { + $userRegistrars = $db->select('SELECT registrar_id FROM registrar_users WHERE user_id = ?', [$_SESSION['auth_user_id']]); + + // Assuming $userRegistrars returns an array of arrays, each containing 'registrar_id' + $userRegistrarIds = array_column($userRegistrars, 'registrar_id'); + + // Check if the registrar's ID is in the user's list of registrar IDs + if (!in_array($registrars['id'], $userRegistrarIds)) { + // Redirect to the contacts view if the user is not authorized for this contact + return $response->withHeader('Location', '/contacts')->withStatus(302); + } + } + $history = $db_audit->select( 'SELECT * FROM contact WHERE identifier = ? ORDER BY audit_timestamp DESC, audit_rownum ASC', [$args] diff --git a/cp/app/Controllers/DomainsController.php b/cp/app/Controllers/DomainsController.php index e26c7e5..5485eba 100644 --- a/cp/app/Controllers/DomainsController.php +++ b/cp/app/Controllers/DomainsController.php @@ -1078,10 +1078,26 @@ class DomainsController extends Controller throw new \RuntimeException('Audit table is empty or not configured'); } - $domain = $db->selectRow('SELECT id,name FROM domain WHERE name = ?', + $domain = $db->selectRow('SELECT id, name, clid FROM domain WHERE name = ?', [ $args ]); if ($domain) { + $registrars = $db->selectRow('SELECT id, clid, name FROM registrar WHERE id = ?', [$domain['clid']]); + + // Check if the user is not an admin (assuming role 0 is admin) + if ($_SESSION["auth_roles"] != 0) { + $userRegistrars = $db->select('SELECT registrar_id FROM registrar_users WHERE user_id = ?', [$_SESSION['auth_user_id']]); + + // Assuming $userRegistrars returns an array of arrays, each containing 'registrar_id' + $userRegistrarIds = array_column($userRegistrars, 'registrar_id'); + + // Check if the registrar's ID is in the user's list of registrar IDs + if (!in_array($registrars['id'], $userRegistrarIds)) { + // Redirect to the domains view if the user is not authorized for this contact + return $response->withHeader('Location', '/domains')->withStatus(302); + } + } + $history = $db_audit->select( 'SELECT * FROM domain WHERE name = ? ORDER BY audit_timestamp DESC, audit_rownum ASC', [$args] diff --git a/cp/app/Controllers/HostsController.php b/cp/app/Controllers/HostsController.php index 224379e..0219512 100644 --- a/cp/app/Controllers/HostsController.php +++ b/cp/app/Controllers/HostsController.php @@ -316,10 +316,26 @@ class HostsController extends Controller } } - $host = $db->selectRow('SELECT id, name FROM host WHERE name = ?', + $host = $db->selectRow('SELECT id, name, clid FROM host WHERE name = ?', [ $args ]); if ($host) { + $registrars = $db->selectRow('SELECT id, clid, name FROM registrar WHERE id = ?', [$host['clid']]); + + // Check if the user is not an admin (assuming role 0 is admin) + if ($_SESSION["auth_roles"] != 0) { + $userRegistrars = $db->select('SELECT registrar_id FROM registrar_users WHERE user_id = ?', [$_SESSION['auth_user_id']]); + + // Assuming $userRegistrars returns an array of arrays, each containing 'registrar_id' + $userRegistrarIds = array_column($userRegistrars, 'registrar_id'); + + // Check if the registrar's ID is in the user's list of registrar IDs + if (!in_array($registrars['id'], $userRegistrarIds)) { + // Redirect to the hosts view if the user is not authorized for this host + return $response->withHeader('Location', '/hosts')->withStatus(302); + } + } + try { $exists = $db_audit->selectValue('SELECT 1 FROM domain LIMIT 1'); } catch (\PDOException $e) { diff --git a/cp/app/Controllers/RegistrarsController.php b/cp/app/Controllers/RegistrarsController.php index 4a697e9..ca8f1fc 100644 --- a/cp/app/Controllers/RegistrarsController.php +++ b/cp/app/Controllers/RegistrarsController.php @@ -427,6 +427,20 @@ class RegistrarsController extends Controller [ $args ]); if ($registrar) { + // Check if the user is not an admin + if ($_SESSION["auth_roles"] != 0) { + $userRegistrars = $db->select('SELECT registrar_id FROM registrar_users WHERE user_id = ?', [$_SESSION['auth_user_id']]); + + // Assuming $userRegistrars returns an array of arrays, each containing 'registrar_id' + $userRegistrarIds = array_column($userRegistrars, 'registrar_id'); + + // Check if the registrar's ID is in the user's list of registrar IDs + if (!in_array($registrar['id'], $userRegistrarIds)) { + // Redirect to the registrars view if the user is not authorized for this contact + return $response->withHeader('Location', '/registrars')->withStatus(302); + } + } + try { $exists = $db_audit->selectValue('SELECT 1 FROM domain LIMIT 1'); } catch (\PDOException $e) {