From e3836dd5cc342a904e3fbb26e2f754f3fde509d9 Mon Sep 17 00:00:00 2001
From: Wytze van der Raay <wytze@cacert.org>
Date: Mon, 15 Jul 2013 08:38:31 +0000
Subject: [PATCH] Fix for http://bugs.cacert.org/view.php?id=1173 While email
 or domain dispute check if the request belongs to a locked account and stop
 the process.

---
 www/disputes.php | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/www/disputes.php b/www/disputes.php
index f195ed5..4944d8c 100644
--- a/www/disputes.php
+++ b/www/disputes.php
@@ -236,6 +236,23 @@
 			exit;
 		}
 
+		//check if email belongs to locked account
+		$res = mysql_query("select 1 from `email`, `users` where `email`.`email`='$email' and `email`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
+		if(mysql_num_rows($res) > 0)
+		{
+			showheader(_("Email Dispute"));
+			printf(_("Sorry, the email address '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($email),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
+			$duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
+			$body = sprintf("Someone has just attempted to dispute this email '%s', which belongs to a locked account:\n".
+				"Username(ID): %s (%s)\n".
+				"email: %s\n".
+				"IP/Hostname: %s\n", $email, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
+			sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
+
+			showfooter();
+			exit;
+		}
+
 		$res = mysql_query("select * from `disputeemail` where `email`='$email' and hash!=''");
 		if(mysql_num_rows($res) > 0)
 		{
@@ -308,6 +325,23 @@
 			exit;
 		}
 
+		//check if domain belongs to locked account
+		$res = mysql_query("select 1 from `domains`, `users` where `domains`.`domain`='$domain' and `domains`.`memid`=`users`.`id` and (`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
+		if(mysql_num_rows($res) > 0)
+		{
+			showheader(_("Domain Dispute"));
+			printf(_("Sorry, the domain '%s' cannot be disputed for administrative reasons. To solve this problem please get in contact with %s."), sanitizeHTML($domain),"<a href='mailto:support@cacert.org'>support@cacert.org</a>");
+			$duser=$_SESSION['profile']['fname']." ".$_SESSION['profile']['lname'];
+			$body = sprintf("Someone has just attempted to dispute this domain '%s', which belongs to a locked account:\n".
+				"Username(ID): %s (%s)\n".
+				"email: %s\n".
+				"IP/Hostname: %s\n", $domain, $duser, $_SESSION['profile']['id'], $_SESSION['profile']['email'], $_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
+			sendmail("support@cacert.org", "[CAcert.org] failed dispute on locked account", $body, $_SESSION['profile']['email'], "", "", $duser);
+
+			showfooter();
+			exit;
+		}
+
 		$query = "select * from `disputedomain` where `domain`='$domain' and hash!=''";
 		$res = mysql_query($query);
 		if(mysql_num_rows($res) > 0)