Initial

web/delete/access-key/index.php

@@ -0,0 +1,50 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+	$user_plain = $_GET["user"];
+}
+
+// Checks if API access is enabled
+$api_status =
+	!empty($_SESSION["API_SYSTEM"]) && is_numeric($_SESSION["API_SYSTEM"])
+		? $_SESSION["API_SYSTEM"]
+		: 0;
+if (($user_plain == "admin" && $api_status < 1) || ($user_plain != "admin" && $api_status < 2)) {
+	header("Location: /edit/user/");
+	exit();
+}
+
+if (!empty($_GET["key"])) {
+	$v_key = quoteshellarg(trim($_GET["key"]));
+
+	// Key data
+	exec(HESTIA_CMD . "v-list-access-key " . $v_key . " json", $output, $return_var);
+	$key_data = json_decode(implode("", $output), true);
+	unset($output);
+
+	if (empty($key_data) || $key_data["USER"] != $user_plain) {
+		header("Location: /list/access-key/");
+		exit();
+	}
+
+	exec(HESTIA_CMD . "v-delete-access-key " . $v_key, $output, $return_var);
+	check_return_code($return_var, $output);
+	unset($output);
+}
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+header("Location: /list/key/");
+exit();

web/delete/backup/exclusion/index.php

@@ -0,0 +1,32 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+}
+
+// Check token
+verify_csrf($_GET);
+
+if (!empty($_GET["system"])) {
+	$v_system = quoteshellarg($_GET["system"]);
+	exec(
+		HESTIA_CMD . "v-delete-user-backup-exclusions " . $user . " " . $v_system,
+		$output,
+		$return_var,
+	);
+}
+check_return_code($return_var, $output);
+unset($output);
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/backup/exclusions/");
+exit();

web/delete/backup/index.php

@@ -0,0 +1,28 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+}
+
+// Check token
+verify_csrf($_GET);
+
+if (!empty($_GET["backup"])) {
+	$v_backup = quoteshellarg($_GET["backup"]);
+	exec(HESTIA_CMD . "v-delete-user-backup " . $user . " " . $v_backup, $output, $return_var);
+}
+check_return_code($return_var, $output);
+unset($output);
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/backup/");
+exit();

web/delete/cron/autoupdate/index.php

@@ -0,0 +1,18 @@
+<?php
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+if (
+	($_SESSION["userContext"] === "admin" && $_SESSION["POLICY_SYSTEM_HIDE_SERVICES"] == "no") ||
+	$_SESSION["user"] == "admin"
+) {
+	exec(HESTIA_CMD . "v-delete-cron-hestia-autoupdate", $output, $return_var);
+	unset($output);
+}
+
+header("Location: /list/updates/");
+exit();

web/delete/cron/index.php

@@ -0,0 +1,29 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+}
+
+// Check token
+verify_csrf($_GET);
+
+if (!empty($_GET["job"])) {
+	$v_username = quoteshellarg($user);
+	$v_job = quoteshellarg($_GET["job"]);
+	exec(HESTIA_CMD . "v-delete-cron-job " . $user . " " . $v_job, $output, $return_var);
+}
+check_return_code($return_var, $output);
+unset($output);
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/cron/");
+exit();

web/delete/cron/reports/index.php

@@ -0,0 +1,13 @@
+<?php
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+exec(HESTIA_CMD . "v-delete-cron-reports " . $user, $output, $return_var);
+unset($output);
+
+header("Location: /list/cron/");
+exit();

web/delete/db/index.php

@@ -0,0 +1,28 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+}
+
+// Check token
+verify_csrf($_GET);
+
+if (!empty($_GET["database"])) {
+	$v_database = quoteshellarg($_GET["database"]);
+	exec(HESTIA_CMD . "v-delete-database " . $user . " " . $v_database, $output, $return_var);
+}
+check_return_code($return_var, $output);
+unset($output);
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/db/");
+exit();

web/delete/dns/index.php

@@ -0,0 +1,63 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Delete as someone else?
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+}
+
+// Check token
+verify_csrf($_GET);
+
+// DNS domain
+if (!empty($_GET["domain"]) && empty($_GET["record_id"])) {
+	$v_domain = quoteshellarg($_GET["domain"]);
+	exec(HESTIA_CMD . "v-delete-dns-domain " . $user . " " . $v_domain, $output, $return_var);
+	check_return_code($return_var, $output);
+	unset($output);
+
+	$back = $_SESSION["back"];
+	if (!empty($back)) {
+		header("Location: " . $back);
+		exit();
+	}
+	header("Location: /list/dns/");
+	exit();
+}
+
+// DNS record
+if (!empty($_GET["domain"]) && !empty($_GET["record_id"])) {
+	$v_domain = quoteshellarg($_GET["domain"]);
+	$v_record_id = quoteshellarg($_GET["record_id"]);
+	exec(
+		HESTIA_CMD . "v-delete-dns-record " . $user . " " . $v_domain . " " . $v_record_id,
+		$output,
+		$return_var,
+	);
+	check_return_code($return_var, $output);
+	unset($output);
+	$back = $_SESSION["back"];
+	if (!empty($back)) {
+		header("Location: " . $back);
+		exit();
+	}
+	if ($return_var > 0) {
+		header("Location: /list/dns/");
+		exit();
+	} else {
+		header("Location: /list/dns/?domain=" . $_GET["domain"]);
+		exit();
+	}
+}
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/dns/");
+exit();

web/delete/firewall/banlist/index.php

@@ -0,0 +1,32 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+// Main include
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check user
+if ($_SESSION["userContext"] != "admin") {
+	header("Location: /list/user");
+	exit();
+}
+
+// Check token
+verify_csrf($_GET);
+
+if (!empty($_GET["ip"]) && !empty($_GET["chain"])) {
+	$v_ip = quoteshellarg($_GET["ip"]);
+	$v_chain = quoteshellarg($_GET["chain"]);
+	exec(HESTIA_CMD . "v-delete-firewall-ban " . $v_ip . " " . $v_chain, $output, $return_var);
+}
+check_return_code($return_var, $output);
+unset($output);
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/firewall/banlist/");
+exit();

web/delete/firewall/index.php

@@ -0,0 +1,31 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+// Main include
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check user
+if ($_SESSION["userContext"] != "admin") {
+	header("Location: /list/user");
+	exit();
+}
+
+// Check token
+verify_csrf($_GET);
+
+if (!empty($_GET["rule"])) {
+	$v_rule = quoteshellarg($_GET["rule"]);
+	exec(HESTIA_CMD . "v-delete-firewall-rule " . $v_rule, $output, $return_var);
+}
+check_return_code($return_var, $output);
+unset($output);
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/firewall/");
+exit();

web/delete/firewall/ipset/index.php

@@ -0,0 +1,35 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+// Main include
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check user
+if ($_SESSION["userContext"] != "admin") {
+	header("Location: /list/user");
+	exit();
+}
+
+// Check token
+verify_csrf($_GET);
+
+if (!empty($_GET["listname"])) {
+	$v_listname = $_GET["listname"];
+	exec(
+		HESTIA_CMD . "v-delete-firewall-ipset " . quoteshellarg($v_listname),
+		$output,
+		$return_var,
+	);
+}
+check_return_code($return_var, $output);
+unset($output);
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/firewall/ipset/");
+exit();

web/delete/ip/index.php

@@ -0,0 +1,26 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+if ($_SESSION["userContext"] === "admin") {
+	if (!empty($_GET["ip"])) {
+		$v_ip = quoteshellarg($_GET["ip"]);
+		exec(HESTIA_CMD . "v-delete-sys-ip " . $v_ip, $output, $return_var);
+	}
+	check_return_code($return_var, $output);
+	unset($output);
+}
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/ip/");
+exit();

web/delete/key/index.php

@@ -0,0 +1,29 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+}
+
+if (!empty($_GET["key"])) {
+	$v_key = quoteshellarg(trim($_GET["key"]));
+	exec(HESTIA_CMD . "v-delete-user-ssh-key " . $user . " " . $v_key, $output, $return_var);
+	check_return_code($return_var, $output);
+}
+
+unset($output);
+
+//die();
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+header("Location: /list/key/");
+exit();

web/delete/log/auth/index.php

@@ -0,0 +1,60 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+// Check if administrator is viewing system log (currently 'admin' user)
+if ($_SESSION["userContext"] === "admin" && isset($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+	$token = $_SESSION["token"];
+}
+
+// Clear log
+exec(HESTIA_CMD . "v-delete-user-auth-log " . $user, $output, $return_var);
+check_return_code($return_var, $output);
+unset($output);
+
+$ip = $_SERVER["REMOTE_ADDR"];
+if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
+	if (!empty($_SERVER["HTTP_CF_CONNECTING_IP"])) {
+		$ip = $_SERVER["HTTP_CF_CONNECTING_IP"];
+	}
+}
+$v_ip = quoteshellarg($ip);
+$user_agent = $_SERVER["HTTP_USER_AGENT"];
+$v_user_agent = quoteshellarg($user_agent);
+
+$v_session_id = quoteshellarg($_SESSION["token"]);
+
+// Add current user session back to log unless impersonating another user
+if (!isset($_SESSION["look"])) {
+	exec(
+		HESTIA_CMD .
+			"v-log-user-login " .
+			$user .
+			" " .
+			$v_ip .
+			" success " .
+			$v_session_id .
+			" " .
+			$v_user_agent,
+		$output,
+		$return_var,
+	);
+}
+
+// Flush session messages
+unset($_SESSION["error_msg"]);
+unset($_SESSION["ok_msg"]);
+
+// Set correct page reload target
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	header("Location: /list/log/auth/?user=" . $_GET["user"] . "&token=$token");
+} else {
+	header("Location: /list/log/auth/");
+}
+
+exit();

web/delete/log/index.php

@@ -0,0 +1,39 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+// Check if administrator is viewing system log (currently 'admin' user)
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+	$token = $_SESSION["token"];
+}
+
+// Clear log
+exec(HESTIA_CMD . "v-delete-user-log " . $user, $output, $return_var);
+check_return_code($return_var, $output);
+unset($output);
+
+if ($return_var > 0) {
+	header("Location: /list/log/");
+} else {
+	// Set correct page reload target
+	if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+		if ($_GET["user"] != "system") {
+			header("Location: /list/log/?user=" . $_GET["user"] . "&token=$token");
+		} else {
+			header("Location: /list/log/?user=system&token=$token");
+		}
+	} else {
+		header("Location: /list/log/");
+	}
+}
+
+// Flush session messages
+unset($_SESSION["error_msg"]);
+unset($_SESSION["ok_msg"]);
+
+exit();

web/delete/mail/index.php

@@ -0,0 +1,65 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Delete as someone else?
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($user);
+}
+
+// Check token
+verify_csrf($_GET);
+
+// Mail domain
+if (!empty($_GET["domain"]) && empty($_GET["account"])) {
+	$v_username = quoteshellarg($user);
+	$v_domain = quoteshellarg($_GET["domain"]);
+	exec(HESTIA_CMD . "v-delete-mail-domain " . $user . " " . $v_domain, $output, $return_var);
+	check_return_code($return_var, $output);
+	unset($output);
+	$back = $_SESSION["back"];
+	if ($return_var > 0) {
+		header("Location: /list/mail/");
+	}
+	if (!empty($back)) {
+		header("Location: " . $back);
+		exit();
+	}
+	header("Location: /list/mail/");
+	exit();
+}
+
+// Mail account
+if (!empty($_GET["domain"]) && !empty($_GET["account"])) {
+	$v_domain = quoteshellarg($_GET["domain"]);
+	$v_account = quoteshellarg($_GET["account"]);
+	exec(
+		HESTIA_CMD . "v-delete-mail-account " . $user . " " . $v_domain . " " . $v_account,
+		$output,
+		$return_var,
+	);
+	check_return_code($return_var, $output);
+	unset($output);
+	if ($return_var > 0) {
+		header("Location: /list/mail/");
+	} else {
+		$back = $_SESSION["back"];
+		if (!empty($back)) {
+			header("Location: " . $back);
+			exit();
+		}
+		header("Location: /list/mail/?domain=" . $_GET["domain"]);
+		exit();
+	}
+}
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/mail/");
+exit();

web/delete/notification/index.php

@@ -0,0 +1,41 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+if ($_GET["delete"] == 1) {
+	if (empty($_GET["notification_id"])) {
+		exec(HESTIA_CMD . "v-delete-user-notification " . $user . " all", $output, $return_var);
+	} else {
+		$v_id = quoteshellarg((int) $_GET["notification_id"]);
+		exec(
+			HESTIA_CMD . "v-delete-user-notification " . $user . " " . $v_id,
+			$output,
+			$return_var,
+		);
+	}
+	check_return_code($return_var, $output);
+	unset($output);
+} else {
+	if (empty($_GET["notification_id"])) {
+		exec(
+			HESTIA_CMD . "v-acknowledge-user-notification " . $user . " all",
+			$output,
+			$return_var,
+		);
+	} else {
+		$v_id = quoteshellarg((int) $_GET["notification_id"]);
+		exec(
+			HESTIA_CMD . "v-acknowledge-user-notification " . $user . " " . $v_id,
+			$output,
+			$return_var,
+		);
+		check_return_code($return_var, $output);
+		unset($output);
+	}
+}
+
+exit();

web/delete/package/index.php

@@ -0,0 +1,32 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+// Prevent editing of default package
+if ($_GET["package"] === "default") {
+	header("Location: /list/package/");
+	exit();
+}
+
+if ($_SESSION["userContext"] === "admin") {
+	if (!empty($_GET["package"])) {
+		$v_package = quoteshellarg($_GET["package"]);
+		exec(HESTIA_CMD . "v-delete-user-package " . $v_package, $output, $return_var);
+	}
+	check_return_code($return_var, $output);
+	unset($output);
+}
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/package/");
+exit();

web/delete/user/index.php

@@ -0,0 +1,27 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+if ($_SESSION["userContext"] === "admin") {
+	if (!empty($_GET["user"])) {
+		$v_username = quoteshellarg($_GET["user"]);
+		exec(HESTIA_CMD . "v-delete-user " . $v_username, $output, $return_var);
+	}
+	check_return_code($return_var, $output);
+	unset($_SESSION["look"]);
+	unset($output);
+}
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/user/");
+exit();

web/delete/web/cache/index.php

@@ -0,0 +1,22 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+// Delete as someone else?
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($_GET["user"]);
+}
+
+if (!empty($_GET["domain"])) {
+	$v_domain = quoteshellarg($_GET["domain"]);
+	exec(HESTIA_CMD . "v-purge-nginx-cache " . $user . " " . $v_domain, $output, $return_var);
+	check_return_code($return_var, $output);
+}
+$_SESSION["ok_msg"] = _("NGINX cache has been purged successfully.");
+header("Location: /edit/web/?domain=" . $_GET["domain"]);
+exit();

web/delete/web/index.php

@@ -0,0 +1,33 @@
+<?php
+use function Hestiacp\quoteshellarg\quoteshellarg;
+
+ob_start();
+include $_SERVER["DOCUMENT_ROOT"] . "/inc/main.php";
+
+// Check token
+verify_csrf($_GET);
+
+// Delete as someone else?
+if ($_SESSION["userContext"] === "admin" && !empty($_GET["user"])) {
+	$user = quoteshellarg($user);
+}
+
+if (!empty($_GET["domain"])) {
+	$v_domain = quoteshellarg($_GET["domain"]);
+	exec(
+		HESTIA_CMD . "v-delete-web-domain " . $user . " " . $v_domain . " 'yes'",
+		$output,
+		$return_var,
+	);
+	check_return_code($return_var, $output);
+	unset($output);
+}
+
+$back = $_SESSION["back"];
+if (!empty($back)) {
+	header("Location: " . $back);
+	exit();
+}
+
+header("Location: /list/web/");
+exit();