From 1da7f9a7bce8d953574813db92f2e89d24b23c63 Mon Sep 17 00:00:00 2001
From: Andreas Granig <agranig@sipwise.com>
Date: Sun, 4 May 2014 13:39:23 +0200
Subject: [PATCH] MT#6789 API: validate email template id

Its reseller needs to match the customer contact's reseller.
---
 lib/NGCP/Panel/Controller/API/Customers.pm | 10 ++++++++
 lib/NGCP/Panel/Role/API/Customers.pm       | 29 ++++++++++++++++++++--
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/lib/NGCP/Panel/Controller/API/Customers.pm b/lib/NGCP/Panel/Controller/API/Customers.pm
index 4b4efaeb03..0a9887e105 100644
--- a/lib/NGCP/Panel/Controller/API/Customers.pm
+++ b/lib/NGCP/Panel/Controller/API/Customers.pm
@@ -220,6 +220,16 @@ sub POST :Allow {
             $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "The reseller of the contact doesn't match the reseller of the billing profile");
             last;
         }
+        if($customer->subscriber_email_template_id && 
+           $customer->subscriber_email_template->reseller_id != $customer->contact->reseller_id) {
+            $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'subscriber_email_template_id', doesn't exist for reseller assigned to customer contact");
+            return;
+        }
+        if($customer->passreset_email_template_id && 
+           $customer->passreset_email_template->reseller_id != $customer->contact->reseller_id) {
+            $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'passreset_email_template_id', doesn't exist for reseller assigned to customer contact");
+            return;
+        }
 
         try {
             $customer->billing_mappings->create({
diff --git a/lib/NGCP/Panel/Role/API/Customers.pm b/lib/NGCP/Panel/Role/API/Customers.pm
index e6953c83fb..980456ebc9 100644
--- a/lib/NGCP/Panel/Role/API/Customers.pm
+++ b/lib/NGCP/Panel/Role/API/Customers.pm
@@ -168,9 +168,9 @@ sub update_customer {
     }
     delete $resource->{billing_profile_id};
 
-
+    my $custcontact;
     if($old_resource->{contact_id} != $resource->{contact_id}) {
-        my $custcontact = $c->model('DB')->resultset('contacts')
+        $custcontact = $c->model('DB')->resultset('contacts')
             ->search({ reseller_id => { '-not' => undef }})
             ->find($resource->{contact_id});
         unless($custcontact) {
@@ -181,6 +181,31 @@ sub update_customer {
             $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'contact_id', reseller doesn't match billing profile reseller");
             return;
         }
+    } else {
+        $custcontact = $customer->contact;
+    }
+
+    my $oldsubtmpl = $old_resource->{subscriber_email_template_id} // 0;
+    if($resource->{subscriber_email_template_id} && 
+       $oldsubtmpl != $resource->{subscriber_email_template_id}) {
+        my $tmpl = $c->model('DB')->resultset('email_templates')
+            ->search({ reseller_id => $custcontact->reseller_id })
+            ->find($resource->{subscriber_email_template_id});
+        unless($tmpl) {
+            $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'subscriber_email_template_id', doesn't exist for reseller assigned to customer contact");
+            return;
+        }
+    }
+    my $oldpasstmpl = $old_resource->{passreset_email_template_id} // 0;
+    if($resource->{passreset_email_template_id} && 
+       $oldpasstmpl != $resource->{passreset_email_template_id}) {
+        my $tmpl = $c->model('DB')->resultset('email_templates')
+            ->search({ reseller_id => $custcontact->reseller_id })
+            ->find($resource->{passreset_email_template_id});
+        unless($tmpl) {
+            $self->error($c, HTTP_UNPROCESSABLE_ENTITY, "Invalid 'passreset_email_template_id', doesn't exist for reseller assigned to customer contact");
+            return;
+        }
     }
 
     my $old_ext_id = $customer->external_id // '';