remoting api: proper call to get different sys_userid and sys_groupid

Discussion in 'Developers' Forum' started by ispcomm, Nov 18, 2013.

  1. ispcomm

    ispcomm Member

    I am trying to obtain the standard permissions for when an admin creates some service (i.e. domain/spam filter etc) for a client, that is

    sys_userid = admin or reseller id
    sys_groupid = client
    sys_perm_user = riud
    sys_perm_group = ru

    I can't find the proper parameters in the parameters array for the remoting api.

    Thank you.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Your scheme is not correct:

    sys_userid = sys_userid from sys_user column, this is not the client or admin id, even if it might b idetical on some systems
    sys_groupid = groupid from sys_group column.

    The permissions are set automatically, you cant pass them via params array.
     
  3. ispcomm

    ispcomm Member

    Till,

    thank you for pointing out the mappings (I knew about them, but it happens that on my system the id's are the same, so I mix them in my mind easily).

    So, how to I obtain the effect of creating a (mail) domain owned by the admin user, but with permissions for the client to add/delete mailboxes, with no permissions to delete the whole domain, via remoting api?

    I see that if I set the client_id to the client, all permissions are assigned to the client, and the client is able to delete the domain and all mailboxes underneath with 2 clicks (ask me how I know this...).

    thanks.
     
  4. ispcomm

    ispcomm Member

    Till... shall I use direct SQL to do what the GUI does?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no api function to mimic the behaviour of the interface.

    I would recommend to add a new api function instaed then doing it by sql. Somthing like:

    update_record_permissions($table,$index_field,$index_value,$permissions) {
    .....
    }

    were $permissins is a array containing the sys_* fields of a record.
     
  6. ispcomm

    ispcomm Member

    I think I can do that.
     
  7. ispcomm

    ispcomm Member

    proposed addition

    Till,

    Here's my proposed addition to the remoting api. I hope the approach is right.

    There's a new privilege required, that I named admin_record_permissions. admin to mark it as a superuser privilege (you can change ownership of anything) and record_permission to denote the operation.

    Code:
            // This will update the record permissions for a record in any table.
            public function update_record_permissions($tablename, $index_field, $index_value, $permissions) {
    		global $app;
    		
    		if(!$this->checkPerm($session_id, 'admin_record_permissions')) {
    			$this->server->fault('permission_denied', 'You do not have the permissions to access this function.');
    			return false;
    		}
    
                    foreach ( $permissions as $key => $value ) {  // make sure only sys_ fields are updated
                        if ( !preg_match('/^sys_.+/', $key )) {
                            $this->server->fault('invalid parameters', 'Only sys_* parameters can be changed with this function.');
                        }
                    }
                    
                    return $app->db->datalogUpdate( $tablename, $permissions, $index_field, $index_value ) ;
            }
    
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Thanks for sharing your code! The function looks fine, I've added it to the bugtracker for incusion in ispconfig.

    If you like to share code and improve ISPConfig or fix bugs, then you might want to get an account in our git server:

    http://git.ispconfig.org/

    there you can make a ispconfig fork under your own user and propose change or fixes by submitting a merge request in gitlab. We will then review the requests or comment on them in gitlab and merge them into the master branch.
     

Share This Page