Harden the security with specific permissions for domains, domain settings and default settings. Everyone using multi-tenant are encouraged to update. Run Upgrade Schema on wiki.fusionpbx.com. After updating go to advanced -> group manager click on the superadmin group and then select the permissions for domains, domains settings, and default settings. Logout and back in.

core/default_settings/app_config.php

@@ -1,7 +1,7 @@
 <?php
 	//application details
 		$apps[$x]['name'] = 'Default Settings';
-		$apps[$x]['guid'] = '2c2453c0-1bea-4475-9f44-4d969650de09';
+		$apps[$x]['uuid'] = '2c2453c0-1bea-4475-9f44-4d969650de09';
 		$apps[$x]['category'] = 'Core';
 		$apps[$x]['subcategory'] = '';
 		$apps[$x]['version'] = '';
@@ -19,6 +19,9 @@
 
 	//permission details
 		$y = 0;
+		$apps[$x]['permissions'][$y]['name'] = 'default_setting_view';
+		$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
+		$y++;
 		$apps[$x]['permissions'][$y]['name'] = 'default_setting_add';
 		$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
 		$y++;

core/default_settings/default_settings.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('default_setting_view')) {
 	//access granted
 }
 else {
@@ -60,8 +60,7 @@ require_once "includes/paging.php";
 	echo "</table>\n";
 
 	//prepare to page the results
-		$sql = "";
-		$sql .= " select count(*) as num_rows from v_default_settings ";
+		$sql = "select count(*) as num_rows from v_default_settings ";
 		if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
 		$prep_statement = $db->prepare($sql);
 		if ($prep_statement) {
@@ -83,16 +82,15 @@ require_once "includes/paging.php";
 		list($paging_controls, $rows_per_page, $var3) = paging($num_rows, $param, $rows_per_page); 
 		$offset = $rows_per_page * $page; 
 
-	//get the domain list
-		$sql = "";
-		$sql .= " select * from v_default_settings ";
+	//get the list
+		$sql = "select * from v_default_settings ";
 		if (strlen($order_by) == 0) {
 			$sql .= "order by default_setting_category, default_setting_subcategory asc ";
 		}
 		else {
 			$sql .= "order by $order_by $order ";
 		}
-		$sql .= " limit $rows_per_page offset $offset ";
+		$sql .= "limit $rows_per_page offset $offset ";
 		$prep_statement = $db->prepare(check_sql($sql));
 		$prep_statement->execute();
 		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
@@ -120,7 +118,12 @@ require_once "includes/paging.php";
 				echo th_order_by('default_setting_enabled', 'Enabled', $order_by, $order);
 				echo th_order_by('default_setting_description', 'Description', $order_by, $order);
 				echo "<td align='right' width='42'>\n";
-				echo "	<a href='default_settings_edit.php' alt='add'>$v_link_label_add</a>\n";
+				if (permission_exists('default_setting_add')) {
+					echo "	<a href='default_settings_edit.php' alt='add'>$v_link_label_add</a>\n";
+				}
+				else {
+					echo "	&nbsp;\n";
+				}
 				echo "</td>\n";
 				echo "</tr>\n";
 			}
@@ -133,8 +136,7 @@ require_once "includes/paging.php";
 			$subcategory = $row['default_setting_subcategory'];
 			$name = $row['default_setting_name'];
 			if ($category == "domain" && $subcategory == "menu" && $name == "uuid" ) {
-				$sql = "";
-				$sql .= "select * from v_menus ";
+				$sql = "select * from v_menus ";
 				$sql .= "where menu_uuid = '".$row['default_setting_value']."' ";
 				$sub_prep_statement = $db->prepare(check_sql($sql));
 				$sub_prep_statement->execute();
@@ -150,8 +152,12 @@ require_once "includes/paging.php";
 			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['default_setting_enabled']."&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['default_setting_description']."&nbsp;</td>\n";
 			echo "	<td valign='top' align='right'>\n";
-			echo "		<a href='default_settings_edit.php?id=".$row['default_setting_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
-			echo "		<a href='default_settings_delete.php?id=".$row['default_setting_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
+			if (permission_exists('default_setting_edit')) {
+				echo "		<a href='default_setting_edit.php?id=".$row['default_setting_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
+			}
+			if (permission_exists('default_setting_delete')) {
+				echo "		<a href='default_setting_delete.php?id=".$row['default_setting_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
+			}
 			echo "	</td>\n";
 			echo "</tr>\n";
 			$previous_category = $row['default_setting_category'];
@@ -167,7 +173,12 @@ require_once "includes/paging.php";
 	echo "		<td width='33.3%' nowrap>&nbsp;</td>\n";
 	echo "		<td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
 	echo "		<td width='33.3%' align='right'>\n";
-	echo "			<a href='default_settings_edit.php' alt='add'>$v_link_label_add</a>\n";
+	if (permission_exists('default_setting_add')) {
+		echo "			<a href='default_setting_edit.php' alt='add'>$v_link_label_add</a>\n";
+	}
+	else {
+		echo "			&nbsp;\n";
+	}
 	echo "		</td>\n";
 	echo "	</tr>\n";
  	echo "	</table>\n";

core/default_settings/default_settings_delete.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('default_setting_delete')) {
 	//access granted
 }
 else {
@@ -39,6 +39,7 @@ if (count($_GET)>0) {
 }
 
 if (strlen($id)>0) {
+	//delete default_setting
 	$sql = "delete from v_default_settings ";
 	$sql .= "where default_setting_uuid = '$id' ";
 	$prep_statement = $db->prepare(check_sql($sql));
@@ -46,12 +47,13 @@ if (strlen($id)>0) {
 	unset($sql);
 }
 
-require_once "includes/header.php";
-echo "<meta http-equiv=\"refresh\" content=\"2;url=default_settings.php\">\n";
-echo "<div align='center'>\n";
-echo "Delete Complete\n";
-echo "</div>\n";
-require_once "includes/footer.php";
-return;
+//redirect the user
+	require_once "includes/header.php";
+	echo "<meta http-equiv=\"refresh\" content=\"2;url=default_settings.php\">\n";
+	echo "<div align='center'>\n";
+	echo "Delete Complete\n";
+	echo "</div>\n";
+	require_once "includes/footer.php";
+	return;
 
 ?>

core/default_settings/default_settings_edit.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('default_setting_add') || permission_exists('default_setting_edit')) {
 	//access granted
 }
 else {
@@ -82,7 +82,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 
 	//add or update the database
 		if ($_POST["persistformvar"] != "true") {
-			if ($action == "add") {
+			if ($action == "add" && permission_exists('default_setting_add')) {
 				$sql = "insert into v_default_settings ";
 				$sql .= "(";
 				$sql .= "default_setting_uuid, ";
@@ -115,7 +115,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 				return;
 			} //if ($action == "add")
 
-			if ($action == "update") {
+			if ($action == "update" && permission_exists('default_setting_edit')) {
 				$sql = "update v_default_settings set ";
 				$sql .= "default_setting_category = '$default_setting_category', ";
 				$sql .= "default_setting_subcategory = '$default_setting_subcategory', ";
@@ -140,7 +140,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 
 //pre-populate the form
 	if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
-		$default_setting_uuid = $_GET["id"];
+		$default_setting_uuid = check_str($_GET["id"]);
 		$sql = "select * from v_default_settings ";
 		$sql .= "where default_setting_uuid = '$default_setting_uuid' ";
 		$prep_statement = $db->prepare(check_sql($sql));
@@ -166,7 +166,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "<table width='100%' border='0' cellpadding='0' cellspacing=''>\n";
 	echo "<tr class='border'>\n";
 	echo "	<td align=\"left\">\n";
-	echo "	  <br>";
+	echo "		<br>";
 
 	echo "<form method='post' name='frm' action=''>\n";
 	echo "<div align='center'>\n";

core/domains/app_config.php

@@ -31,7 +31,11 @@
 		$apps[$x]['permissions'][$y]['name'] = 'domain_delete';
 		$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
 		$y++;
-		$apps[$x]['permissions'][$y]['name'] = 'domain_view';
+		$apps[$x]['permissions'][$y]['name'] = 'domain_select';
+		$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
+		$y++;
+
+		$apps[$x]['permissions'][$y]['name'] = 'domain_setting_view';
 		$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
 		$y++;
 		$apps[$x]['permissions'][$y]['name'] = 'domain_setting_add';

core/domains/domain_settings.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('domain_setting_view')) {
 	//access granted
 }
 else {
@@ -49,20 +49,20 @@ require_once "includes/paging.php";
 
 	//echo "<table width='100%' border='0'>\n";
 	//echo "	<tr>\n";
-	//echo "		<td width='50%' nowrap><b>Domain Settings</b></td>\n";
+	//echo "		<td width='50%' align='left' nowrap='nowrap'><b>Domain Settings</b></td>\n";
 	//echo "		<td width='50%' align='right'>&nbsp;</td>\n";
 	//echo "	</tr>\n";
 	//echo "	<tr>\n";
-	//echo "		<td colspan='2'>\n";
+	//echo "		<td align='left' colspan='2'>\n";
 	//echo "			Settings used for each domain.<br /><br />\n";
 	//echo "		</td>\n";
 	//echo "	</tr>\n";
 	//echo "</table>\n";
 
 	//prepare to page the results
-		$sql = " select count(*) as num_rows from v_domain_settings ";
-		$sql .= " where domain_uuid = '$domain_uuid' ";
-		$sql .= " and domain_uuid = '$domain_uuid' ";
+		$sql = "select count(*) as num_rows from v_domain_settings ";
+		$sql .= "where domain_uuid = '$domain_uuid' ";
+		$sql .= "and domain_uuid = '$domain_uuid' ";
 		if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
 		$prep_statement = $db->prepare($sql);
 		if ($prep_statement) {
@@ -84,13 +84,11 @@ require_once "includes/paging.php";
 		list($paging_controls, $rows_per_page, $var3) = paging($num_rows, $param, $rows_per_page); 
 		$offset = $rows_per_page * $page; 
 
-	//get the domain list
-		$sql = "";
-		$sql .= " select * from v_domain_settings ";
-		$sql .= " where domain_uuid = '$domain_uuid' ";
-		$sql .= " and domain_uuid = '$domain_uuid' ";
+	//get the list
+		$sql = "select * from v_domain_settings ";
+		$sql .= "where domain_uuid = '$domain_uuid' ";
 		if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-		$sql .= " limit $rows_per_page offset $offset ";
+		$sql .= "limit $rows_per_page offset $offset ";
 		$prep_statement = $db->prepare(check_sql($sql));
 		$prep_statement->execute();
 		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
@@ -119,7 +117,13 @@ require_once "includes/paging.php";
 				echo th_order_by('domain_setting_enabled', 'Enabled', $order_by, $order);
 				echo th_order_by('domain_setting_description', 'Description', $order_by, $order);
 				echo "<td align='right' width='42'>\n";
-				echo "	<a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
+				if (permission_exists('domain_setting_add')) {
+					echo "	<a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
+				}
+				else {
+					echo "	&nbsp;\n";
+				}
+
 				echo "</td>\n";
 				echo "</tr>\n";
 			}
@@ -149,8 +153,12 @@ require_once "includes/paging.php";
 			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['domain_setting_enabled']."&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['domain_setting_description']."&nbsp;</td>\n";
 			echo "	<td valign='top' align='right'>\n";
+			if (permission_exists('domain_setting_edit')) {
 			echo "		<a href='domain_settings_edit.php?domain_uuid=".$row['domain_uuid']."&id=".$row['domain_setting_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
+			}
+			if (permission_exists('domain_setting_delete')) {
 			echo "		<a href='domain_settings_delete.php?domain_uuid=".$row['domain_uuid']."&id=".$row['domain_setting_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
+			}
 			echo "	</td>\n";
 			echo "</tr>\n";
 			$previous_category = $row['domain_setting_category'];
@@ -166,7 +174,12 @@ require_once "includes/paging.php";
 	echo "		<td width='33.3%' nowrap>&nbsp;</td>\n";
 	echo "		<td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
 	echo "		<td width='33.3%' align='right'>\n";
-	echo "			<a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
+	if (permission_exists('domain_setting_add')) {
+		echo "			<a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
+	}
+	else {
+		echo "			&nbsp;\n";
+	}
 	echo "		</td>\n";
 	echo "	</tr>\n";
  	echo "	</table>\n";

core/domains/domain_settings_delete.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('domain_setting_delete')) {
 	//access granted
 }
 else {
@@ -40,21 +40,22 @@ if (count($_GET)>0) {
 }
 
 if (strlen($id)>0) {
-	$sql = "";
-	$sql .= "delete from v_domain_settings ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
-	$sql .= "and domain_setting_uuid = '$id' ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	unset($sql);
+	//delete domain_setting
+		$sql = "delete from v_domain_settings ";
+		$sql .= "where domain_uuid = '$domain_uuid' ";
+		$sql .= "and domain_setting_uuid = '$id' ";
+		$prep_statement = $db->prepare(check_sql($sql));
+		$prep_statement->execute();
+		unset($sql);
 }
 
-require_once "includes/header.php";
-echo "<meta http-equiv=\"refresh\" content=\"2;url=domains_edit.php?id=$domain_uuid\">\n";
-echo "<div align='center'>\n";
-echo "Delete Complete\n";
-echo "</div>\n";
-require_once "includes/footer.php";
-return;
+//redirect the user
+	require_once "includes/header.php";
+	echo "<meta http-equiv=\"refresh\" content=\"2;url=domains_edit.php?id=$domain_uuid\">\n";
+	echo "<div align='center'>\n";
+	echo "Delete Complete\n";
+	echo "</div>\n";
+	require_once "includes/footer.php";
+	return;
 
 ?>

core/domains/domain_settings_edit.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('domain_setting_add') || permission_exists('domain_setting_edit')) {
 	//access granted
 }
 else {
@@ -87,7 +87,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 
 	//add or update the database
 		if ($_POST["persistformvar"] != "true") {
-			if ($action == "add") {
+			if ($action == "add" && permission_exists('domain_setting_add')) {
 				$sql = "insert into v_domain_settings ";
 				$sql .= "(";
 				$sql .= "domain_uuid, ";
@@ -122,7 +122,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 				return;
 			} //if ($action == "add")
 
-			if ($action == "update") {
+			if ($action == "update" && permission_exists('domain_setting_edit')) {
 				$sql = "update v_domain_settings set ";
 				$sql .= "domain_setting_category = '$domain_setting_category', ";
 				$sql .= "domain_setting_subcategory = '$domain_setting_subcategory', ";
@@ -148,7 +148,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 
 //pre-populate the form
 	if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
-		$domain_setting_uuid = $_GET["id"];
+		$domain_setting_uuid = check_str($_GET["id"]);
 		$sql = "select * from v_domain_settings ";
 		$sql .= "where domain_uuid = '$domain_uuid' ";
 		$sql .= "and domain_setting_uuid = '$domain_setting_uuid' ";
@@ -175,7 +175,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "<table width='100%' border='0' cellpadding='0' cellspacing=''>\n";
 	echo "<tr class='border'>\n";
 	echo "	<td align=\"left\">\n";
-	echo "	  <br>";
+	echo "		<br>";
 
 	echo "<form method='post' name='frm' action=''>\n";
 	echo "<div align='center'>\n";

core/domains/domains.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('domain_view')) {
 	//access granted
 }
 else {
@@ -34,46 +34,48 @@ else {
 	exit;
 }
 
-//change the tenant
-	if (strlen($_GET["domain_uuid"]) > 0 && $_GET["domain_change"] == "true") {
-		//get the domain_uuid
-			$sql = "select * from v_domains ";
-			$sql .= "order by domain_name asc ";
-			$prep_statement = $db->prepare($sql);
-			$prep_statement->execute();
-			$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-			foreach($result as $row) {
-				if (count($result) == 0) {
-					$_SESSION["domain_uuid"] = $row["domain_uuid"];
-					$_SESSION["domain_name"] = $row['domain_name'];
-				}
-				else {
-					if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) {
+//change the domain
+	if (strlen(check_str($_GET["domain_uuid"])) > 0 && check_str($_GET["domain_change"]) == "true") {
+		if (permission_exists('domain_select')) {
+			//get the domain_uuid
+				$sql = "select * from v_domains ";
+				$sql .= "order by domain_name asc ";
+				$prep_statement = $db->prepare($sql);
+				$prep_statement->execute();
+				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+				foreach($result as $row) {
+					if (count($result) == 0) {
 						$_SESSION["domain_uuid"] = $row["domain_uuid"];
 						$_SESSION["domain_name"] = $row['domain_name'];
 					}
-					$_SESSION['domains'][$row['domain_uuid']]['domain_uuid'] = $row['domain_uuid'];
-					$_SESSION['domains'][$row['domain_uuid']]['domain_name'] = $row['domain_name'];
+					else {
+						if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) {
+							$_SESSION["domain_uuid"] = $row["domain_uuid"];
+							$_SESSION["domain_name"] = $row['domain_name'];
+						}
+						$_SESSION['domains'][$row['domain_uuid']]['domain_uuid'] = $row['domain_uuid'];
+						$_SESSION['domains'][$row['domain_uuid']]['domain_name'] = $row['domain_name'];
+					}
 				}
-			}
-			unset($result, $prep_statement);
-
-		//update the domain session variables
-			$domain_uuid = check_str($_GET["domain_uuid"]);
-			$_SESSION['domain_uuid'] = $domain_uuid;
-			$_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name'];
-			$_SESSION['domain']['template']['name'] = $_SESSION['domains'][$domain_uuid]['template_name'];
-		//clear the menu session so that it is regenerated for the selected domain
-			$_SESSION["menu"] = '';
-		//clear the extension array so that it is regenerated for the selected domain
-			unset($_SESSION['extension_array']);
-		//set the context
-			if (count($_SESSION["domains"]) > 1) {
-				$_SESSION["context"] = $_SESSION["domain_name"];
-			}
-			else {
-				$_SESSION["context"] = 'default';
-			}
+				unset($result, $prep_statement);
+
+			//update the domain session variables
+				$domain_uuid = check_str($_GET["domain_uuid"]);
+				$_SESSION['domain_uuid'] = $domain_uuid;
+				$_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name'];
+				$_SESSION['domain']['template']['name'] = $_SESSION['domains'][$domain_uuid]['template_name'];
+			//clear the menu session so that it is regenerated for the selected domain
+				$_SESSION["menu"] = '';
+			//clear the extension array so that it is regenerated for the selected domain
+				unset($_SESSION['extension_array']);
+			//set the context
+				if (count($_SESSION["domains"]) > 1) {
+					$_SESSION["context"] = $_SESSION["domain_name"];
+				}
+				else {
+					$_SESSION["context"] = 'default';
+				}
+		}
 	}
 
 //includes
@@ -151,7 +153,12 @@ else {
 	echo th_order_by('domain_name', 'Domain', $order_by, $order);
 	echo th_order_by('domain_description', 'Description', $order_by, $order);
 	echo "<td align='right' width='42'>\n";
-	echo "	<a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
+	if (permission_exists('domain_add')) {
+		echo "	<a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
+	}
+	else {
+		echo "	&nbsp;\n";
+	}
 	echo "</td>\n";
 	echo "<tr>\n";
 
@@ -161,8 +168,12 @@ else {
 			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['domain_name']."&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."'>".$row['domain_description']."&nbsp;</td>\n";
 			echo "	<td valign='top' align='right'>\n";
-			echo "		<a href='domains_edit.php?id=".$row['domain_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
-			echo "		<a href='domains_delete.php?id=".$row['domain_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
+			if (permission_exists('domain_edit')) {
+				echo "		<a href='domains_edit.php?id=".$row['domain_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
+			}
+			if (permission_exists('domain_delete')) {
+				echo "		<a href='domains_delete.php?id=".$row['domain_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
+			}
 			echo "	</td>\n";
 			echo "</tr>\n";
 			if ($c==0) { $c=1; } else { $c=0; }
@@ -170,7 +181,6 @@ else {
 		unset($sql, $result, $row_count);
 	} //end if results
 
-
 	echo "<tr>\n";
 	echo "<td colspan='3' align='left'>\n";
 	echo "	<table width='100%' cellpadding='0' cellspacing='0'>\n";
@@ -178,7 +188,12 @@ else {
 	echo "		<td width='33.3%' nowrap>&nbsp;</td>\n";
 	echo "		<td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
 	echo "		<td width='33.3%' align='right'>\n";
-	echo "			<a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
+	if (permission_exists('domain_add')) {
+		echo "			<a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
+	}
+	else {
+		echo "			&nbsp;\n";
+	}
 	echo "		</td>\n";
 	echo "	</tr>\n";
  	echo "	</table>\n";

core/domains/domains_delete.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('domain_delete')) {
 	//access granted
 }
 else {

core/domains/domains_edit.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "includes/require.php";
 require_once "includes/checkauth.php";
-if (if_group("admin") || if_group("superadmin")) {
+if (permission_exists('domain_add') || permission_exists('domain_edit')) {
 	//access granted
 }
 else {
@@ -74,7 +74,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 
 	//add or update the database
 		if ($_POST["persistformvar"] != "true") {
-			if ($action == "add") {
+			if ($action == "add" && permission_exists('domain_add')) {
 				$sql = "select count(*) as num_rows from v_domains ";
 				$sql .= "where domain_name = '$domain_name' ";
 				$prep_statement = $db->prepare($sql);
@@ -100,7 +100,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 				}
 			}
 
-			if ($action == "update") {
+			if ($action == "update" && permission_exists('domain_edit')) {
 				$sql = "update v_domains set ";
 				$sql .= "domain_name = '$domain_name', ";
 				$sql .= "domain_description = '$domain_description' ";
@@ -158,7 +158,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "<table width='100%' border='0' cellpadding='0' cellspacing=''>\n";
 	echo "<tr class='border'>\n";
 	echo "	<td align=\"left\">\n";
-	echo "	  <br>";
+	echo "		<br>";
 
 	echo "<form method='post' name='frm' action=''>\n";
 	echo "<div align='center'>\n";

themes/accessible/template.php

@@ -421,7 +421,7 @@ function confirmdelete(url) {
 				</td>
 				<td width='50%' class='' align='right' valign='middle'>
 					<?php
-					if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
+					if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
 						//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
 						//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
 						//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";

themes/classic/template.php

@@ -518,7 +518,7 @@ function confirmdelete(url) {
 				</td>
 				<td width='50%' class='' align='right' valign='middle'>
 					<?php
-					if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
+					if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
 						//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
 						//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
 						//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";

themes/default/template.php

@@ -654,7 +654,7 @@ function confirmdelete(url) {
 			</td>
 			<td width='50%' class='' align='right' valign='middle'>
 				<?php
-				if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
+				if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
 					//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
 					//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
 					//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";

themes/enhanced/template.php

@@ -655,7 +655,7 @@ function confirmdelete(url) {
 						</td>
 						<td width='50%' class='' align='right' valign='middle'>
 							<?php
-							if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
+							if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
 								//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
 								//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
 								//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";