From b51c0c969834eea35d1dffbbf72b7a662fcbee6f Mon Sep 17 00:00:00 2001
From: Kirill Solomko <ksolomko@sipwise.com>
Date: Thu, 22 Dec 2022 11:31:30 +0100
Subject: [PATCH] MT#56234 restrict cli preference allowed numbers for
 subscriberadmin

* subscriberadmin can now only set numbers that belong to the
  customer as 'cli'

Change-Id: Iecc2c5dc322e13292e1ec0d9262451c8947da671
---
 lib/NGCP/Panel/Utils/Preferences.pm | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/lib/NGCP/Panel/Utils/Preferences.pm b/lib/NGCP/Panel/Utils/Preferences.pm
index 79d7898a4c..2af615e55b 100644
--- a/lib/NGCP/Panel/Utils/Preferences.pm
+++ b/lib/NGCP/Panel/Utils/Preferences.pm
@@ -12,6 +12,7 @@ use HTTP::Status qw(:constants);
 use File::Type;
 use Readonly;
 use MIME::Base64 qw(decode_base64);
+use List::Util qw(any);
 
 use constant _DYNAMIC_PREFERENCE_PREFIX => '__';
 
@@ -605,6 +606,25 @@ sub update_preferences {
         try {
             foreach my $k(keys %{ $old_resource }) {
                 SWITCH: for ($k) {
+                    /^cli$/ && do {
+                        my $cli = $resource->{$k};
+                        my @allowed_cli_numbers = $c->model('DB')->resultset('voip_dbaliases')->search({
+                            'subscriber.account_id' => $item->contract_id,
+                        },{
+                            select => ['me.username'],
+                            as => ['number'],
+                            join => 'subscriber',
+                            result_class => 'DBIx::Class::ResultClass::HashRefInflator',
+                        })->all;
+                        $c->log->debug("NUMBERS");
+                        unless (any { $_->{number} eq $cli } @allowed_cli_numbers) {
+                            my $err_msg = "Only numbers that belong to the customer can be assigned as 'cli'";
+                            $c->log->error($err_msg);
+                            &$err_code(HTTP_UNPROCESSABLE_ENTITY, $err_msg);
+                            return;
+                        }
+                        last SWITCH;
+                    };
                     # no special treatment for *_sound_set deletion, as id is stored in right name
                     /^rewrite_rule_set$/ && do {
                         unless(exists $resource->{$k}) {