Reputation from BeZazz - Page 7 - Blesta Community Forums

BeZazz reacted to JaxSite in cPanel Extended Security Issue November 6, 2016

Based on my previous post, I set out this evening to fix the current security issue with the following goals in mind:
Remove the Manage button by the service listing in all states except Active. Remove the Switch icons on service row expansion in all states except Active. If someone enters the direct URL to the cPanel Extended dashboard it disables all functionality and displays a message that the account is not properly setup (similar to default cPanel module). Add a notification message somewhere in the Admin so an administrator is aware the next time they login. Email an administrator of the failed provision (this might already be an existing Blesta feature). After getting familiar with Blesta and cPanel Extended codebases, I have fixed the issue and accomplished my first three goals. I'll continue to become more familiar with the codebase so I can complete goals 4 and 5 too.
To accomplish goal #1, I wrapped the template code with a status active check. This removed the Manage button in the Options column of the service row. Here is the code:
/app/views/client/[template]/client_services.pdt
<td> <?php if ($this->Html->ifSet($status) == "active") { ?> <div class="btn-group"> <a href="<?php echo $this->Html->safe($this->base_uri . "services/manage/" . $this->Html->ifSet($services[$i]->id) . "/");?>" class="btn btn-xs btn-default"> <i class="fa fa-cog fa-fw"></i> <?php $this->_("ClientServices.index.option_manage");?> </a> </div> <?php } ?> </td> To accomplish goal #2, I wrapped the containing table row with a status active check. This disables the row expansion feature in all service states except active. Here is the code:
/app/views/client/[template]/client_services.pdt
<?php // List all services for ($i=0; $i<$num_services; $i++) { if ($this->Html->ifSet($status) == "active") { ?> <tr class="expand service_info"> <?php } else { ?> <tr> <?php } ?> <td><?php $this->Html->_($services[$i]->package->name);?></td> <td><?php $this->Html->_($services[$i]->name);?></td> To accomplish goal #3, I wrapped the sidebar tab building code with a status active check. This removes all of the cPanel Extended tabs and features from the /services/manage/ view. By removing the Manage button in goal #1 above, the average user will never be able to reach this URL. But for the tech savvy, it wouldn't be hard to figure out. And my goal with this fix is to prevent those tech savvy types from causing harm? So just in case this URL is called, unless the service is active, no manage features are available. Here's the code:
/app/controllers/client_services.php
public function manage() { $this->uses(array("Coupons", "ModuleManager")); // Ensure we have a service if (!($service = $this->Services->get((int)$this->get[0])) || $service->client_id != $this->client->id) $this->redirect($this->base_uri); $package = $this->Packages->get($service->package->id); $module = $this->ModuleManager->initModule($service->package->module_id); $module->base_uri = $this->base_uri; $method = isset($this->get[1]) ? $this->get[1] : null; // Set sidebar tabs if ($service->status == "active") { $this->buildTabs($service, $package, $module, $method); } I've also attached some screenshots showing the updated UIs where a cPanel Extended service is in PENDING state and management is basically disabled. Overall, I've had a fun night getting familiar with some of the code. Most importantly, I'm happy I was able to fix this security issue for my needs. I welcome any suggestions and advice from the Blesta Developers as well as cyandark. If there's a better way to fix this issue, please share so I can learn in the process. Thanks again for providing this community and everyone here who are so helpful.
Cheers!

BeZazz got a reaction from JNdev in Lutfi - Free Premium Blesta & Hosting Theme November 6, 2016

Looks really good Nice and clean looking.

BeZazz reacted to timnboys in Third Party Modules November 5, 2016

let me give you a pm on this because I don't want this thread to be another "firestorm" over something that can be handed privately.

BeZazz reacted to Abdy in Third Party Modules November 4, 2016

Blesta is Open Code, not Open Source.
Encrypt the paid modules is necessary to protect the license system.

BeZazz reacted to Blesta Addons in See How a Ticket Was Created October 20, 2016

First . We never change password to a password that client want . We change the passwords to a generated one and send email about the new password .
The client can request password change but can't determinate it via ticket .
Also is good to see a lebel about how this ticket was opened (manager, email piped, import email, Api ... )

BeZazz reacted to austenite in Beta to go Live date October 19, 2016

For me stability is of the utmost importance, I couldn't care less when v4 is released. I have all of the features I currently need and have alternatives in place for those not provided by Blesta. They can take as long as they want, as long as they continue to patch any security issues in 3.6.2 and v4 is nice and stable upon final public release I'll be happy

BeZazz reacted to Abdy in [Theme] Cloud October 16, 2016

Hi, I have this theme in my computer about half year, this theme is of a cancelled project and I will not use the theme anymore, for this I will decided share the theme to the community, this can be useful for something.
This theme not will receive updates. If you want a customization you can send me a PM to get a quote.

cloud.zip

BeZazz reacted to Paul in Blesta 3x to 4x October 4, 2016

PM me your key, or if you have an account with us and paid for the support & updates that way, please open a ticket. I will get you a copy of v4 beta 1. If you are not going live for a little while, I'd suggest making any customizations to v4 to start with, it will be much easier.