wsp-10322 little loophole in MSSQL

WebsitePanel/Database/update_db.sql

@@ -8604,3 +8604,30 @@ WHERE
 	E.UserPrincipalName = @UserPrincipalName
 RETURN
 GO
+
+-- Service items count by name and serviceid
+
+IF EXISTS (SELECT * FROM SYS.OBJECTS WHERE type = 'P' AND name = 'GetServiceItemsCountByNameAndServiceId')
+DROP PROCEDURE GetServiceItemsCountByNameAndServiceId
+GO
+
+CREATE PROCEDURE [dbo].[GetServiceItemsCountByNameAndServiceId]
+(
+	@ActorID int,
+	@ServiceId int,
+	@ItemName nvarchar(500),
+	@GroupName nvarchar(100) = NULL,
+	@ItemTypeName nvarchar(200)
+)
+AS
+SELECT Count(*)
+FROM ServiceItems AS SI
+INNER JOIN ServiceItemTypes AS SIT ON SI.ItemTypeID = SIT.ItemTypeID
+INNER JOIN ResourceGroups AS RG ON SIT.GroupID = RG.GroupID
+INNER JOIN Services AS S ON SI.ServiceID = S.ServiceID
+WHERE S.ServiceID = @ServiceId 
+AND SIT.TypeName = @ItemTypeName
+AND SI.ItemName = @ItemName
+AND ((@GroupName IS NULL) OR (@GroupName IS NOT NULL AND RG.GroupName = @GroupName))
+RETURN 
+GO

WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Code/Data/DataProvider.cs

@@ -1197,6 +1197,24 @@ namespace WebsitePanel.EnterpriseServer
                 new SqlParameter("@itemName", itemName));
         }
 
+        public static int GetServiceItemsCountByNameAndServiceId(int actorId, int serviceId, string groupName,
+            string itemName, string itemTypeName)
+        {
+            int res = 0;
+
+            object obj =  SqlHelper.ExecuteScalar(ConnectionString, CommandType.StoredProcedure,
+                ObjectQualifier + "GetServiceItemsCountByNameAndServiceId",
+               new SqlParameter("@ActorID", actorId),
+                new SqlParameter("@ServiceId", serviceId),
+                new SqlParameter("@ItemName", itemName),
+                new SqlParameter("@GroupName", groupName),
+                new SqlParameter("@ItemTypeName", itemTypeName));
+
+            if (!int.TryParse(obj.ToString(), out res)) return -1;
+
+            return res;
+        }
+
         public static int AddServiceItem(int actorId, int serviceId, int packageId, string itemName,
             string itemTypeName, string xmlProperties)
         {

WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Code/DatabaseServers/DatabaseServerController.cs

@@ -125,8 +125,8 @@ namespace WebsitePanel.EnterpriseServer
             if (serviceId == 0)
                 return BusinessErrorCodes.ERROR_MSSQL_RESOURCE_UNAVAILABLE;
 
-            // check package items
+            // check service items
-            if (PackageController.GetPackageItemByName(item.PackageId, groupName, item.Name, typeof(SqlDatabase)) != null)
+            if (PackageController.GetServiceItemsCountByNameAndServiceId(serviceId, groupName, item.Name, typeof(SqlDatabase)) > 0)
                 return BusinessErrorCodes.ERROR_MSSQL_DATABASES_PACKAGE_ITEM_EXISTS;
 
             // place log record

WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Code/Packages/PackageController.cs

@@ -1380,6 +1380,14 @@ namespace WebsitePanel.EnterpriseServer
             return CreateServiceItem(dvItem[0], dsItem.Tables[1].DefaultView);
         }
 
+        public static int GetServiceItemsCountByNameAndServiceId(int serviceId, string groupName, string itemName, Type itemType)
+        {
+            string itemTypeName = ObjectUtils.GetTypeFullName(itemType);
+
+            return DataProvider.GetServiceItemsCountByNameAndServiceId(SecurityContext.User.UserId,
+                serviceId, groupName, itemName, itemTypeName);
+        }
+
         public static bool CheckServiceItemExists(string itemName, Type itemType)
         {
             return CheckServiceItemExists(itemName, null, itemType);