diff --git a/data/conf/phpfpm/crons/keycloak-sync.php b/data/conf/phpfpm/crons/keycloak-sync.php index f6d92266f..98010648b 100644 --- a/data/conf/phpfpm/crons/keycloak-sync.php +++ b/data/conf/phpfpm/crons/keycloak-sync.php @@ -188,6 +188,7 @@ while (true) { continue; } + $_SESSION['access_all_exception'] = '1'; if (!$row && intval($iam_settings['import_users']) == 1){ // mailbox user does not exist, create... logMsg("info", "Creating user " . $user['email']); @@ -196,8 +197,7 @@ while (true) { 'local_part' => explode('@', $user['email'])[0], 'name' => $user['firstName'] . " " . $user['lastName'], 'authsource' => 'keycloak', - 'template' => $mbox_template, - 'hasAccess' => true + 'template' => $mbox_template )); } else if ($row && intval($iam_settings['periodic_sync']) == 1) { // mailbox user does exist, sync attribtues... @@ -205,13 +205,13 @@ while (true) { mailbox('edit', 'mailbox_from_template', array( 'username' => $user['email'], 'name' => $user['firstName'] . " " . $user['lastName'], - 'template' => $mbox_template, - 'hasAccess' => true + 'template' => $mbox_template )); } else { // skip mailbox user logMsg("info", "Skipping user " . $user['email']); } + $_SESSION['access_all_exception'] = '0'; sleep(0.025); } diff --git a/data/conf/phpfpm/crons/ldap-sync.php b/data/conf/phpfpm/crons/ldap-sync.php index 87f2dddb9..8f7a08bf5 100644 --- a/data/conf/phpfpm/crons/ldap-sync.php +++ b/data/conf/phpfpm/crons/ldap-sync.php @@ -152,6 +152,7 @@ foreach ($response as $user) { continue; } + $_SESSION['access_all_exception'] = '1'; if (!$row && intval($iam_settings['import_users']) == 1){ // mailbox user does not exist, create... logMsg("info", "Creating user " . $user[$iam_settings['username_field']][0]); @@ -160,8 +161,7 @@ foreach ($response as $user) { 'local_part' => explode('@', $user[$iam_settings['username_field']][0])[0], 'name' => $user['displayname'][0], 'authsource' => 'ldap', - 'template' => $mbox_template, - 'hasAccess' => true + 'template' => $mbox_template )); } else if ($row && intval($iam_settings['periodic_sync']) == 1) { // mailbox user does exist, sync attribtues... @@ -169,13 +169,13 @@ foreach ($response as $user) { mailbox('edit', 'mailbox_from_template', array( 'username' => $user[$iam_settings['username_field']][0], 'name' => $user['displayname'][0], - 'template' => $mbox_template, - 'hasAccess' => true + 'template' => $mbox_template )); } else { // skip mailbox user logMsg("info", "Skipping user " . $user[$iam_settings['username_field']][0]); } + $_SESSION['access_all_exception'] = '0'; sleep(0.025); } diff --git a/data/web/inc/functions.acl.inc.php b/data/web/inc/functions.acl.inc.php index ffc7408fe..dde9b1236 100644 --- a/data/web/inc/functions.acl.inc.php +++ b/data/web/inc/functions.acl.inc.php @@ -23,8 +23,8 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) { $acl_post[$acl_val] = 1; } // Users cannot change their own ACL - if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username) - || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username) + || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), @@ -130,7 +130,7 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) { case 'get': switch ($_scope) { case 'user': - if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } $stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username"); diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php index f9d82f1ad..62329e305 100644 --- a/data/web/inc/functions.auth.inc.php +++ b/data/web/inc/functions.auth.inc.php @@ -457,12 +457,13 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){ // login success if ($mapper_key !== false) { // update user + $_SESSION['access_all_exception'] = '1'; mailbox('edit', 'mailbox_from_template', array( 'username' => $user, 'name' => $user_res['name'], - 'template' => $iam_settings['templates'][$mapper_key], - 'hasAccess' => true + 'template' => $iam_settings['templates'][$mapper_key] )); + $_SESSION['access_all_exception'] = '0'; } return 'user'; } @@ -472,14 +473,15 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){ if ($mapper_key === false) return false; // create mailbox + $_SESSION['access_all_exception'] = '1'; $create_res = mailbox('add', 'mailbox_from_template', array( 'domain' => explode('@', $user)[1], 'local_part' => explode('@', $user)[0], 'name' => $user_res['name'], 'authsource' => 'keycloak', - 'template' => $iam_settings['templates'][$mapper_key], - 'hasAccess' => true + 'template' => $iam_settings['templates'][$mapper_key] )); + $_SESSION['access_all_exception'] = '0'; if (!$create_res){ clear_session(); return false; @@ -556,12 +558,13 @@ function ldap_mbox_login($user, $pass, $extra = null){ // login success if ($mapper_key !== false) { // update user + $_SESSION['access_all_exception'] = '1'; mailbox('edit', 'mailbox_from_template', array( 'username' => $user, 'name' => $user_res['displayname'][0], - 'template' => $iam_settings['templates'][$mapper_key], - 'hasAccess' => true + 'template' => $iam_settings['templates'][$mapper_key] )); + $_SESSION['access_all_exception'] = '0'; } return 'user'; } @@ -571,14 +574,15 @@ function ldap_mbox_login($user, $pass, $extra = null){ if ($mapper_key === false) return false; // create mailbox + $_SESSION['access_all_exception'] = '1'; $create_res = mailbox('add', 'mailbox_from_template', array( 'domain' => explode('@', $user)[1], 'local_part' => explode('@', $user)[0], 'name' => $user_res['displayname'][0], 'authsource' => 'ldap', - 'template' => $iam_settings['templates'][$mapper_key], - 'hasAccess' => true + 'template' => $iam_settings['templates'][$mapper_key] )); + $_SESSION['access_all_exception'] = '0'; if (!$create_res){ clear_session(); return false; diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index d351eccf4..ed41379f4 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -538,10 +538,13 @@ function logger($_data = false) { } function hasDomainAccess($username, $role, $domain) { global $pdo; - if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { + if (empty($domain) || !is_valid_domain_name($domain)) { return false; } - if (empty($domain) || !is_valid_domain_name($domain)) { + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } + if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { return false; } if ($role != 'admin' && $role != 'domainadmin') { @@ -577,6 +580,9 @@ function hasDomainAccess($username, $role, $domain) { } function hasMailboxObjectAccess($username, $role, $object) { global $pdo; + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } if (empty($username) || empty($role) || empty($object)) { return false; } @@ -600,6 +606,9 @@ function hasMailboxObjectAccess($username, $role, $object) { // does also verify mailboxes as a mailbox is a alias == goto function hasAliasObjectAccess($username, $role, $object) { global $pdo; + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } if (empty($username) || empty($role) || empty($object)) { return false; } @@ -617,6 +626,16 @@ function hasAliasObjectAccess($username, $role, $object) { } return false; } +function hasACLAccess($type) { + if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") { + return true; + } + if (isset($_SESSION['acl'][$type]) && $_SESSION['acl'][$type] == "1") { + return true; + } + + return false; +} function pem_to_der($pem_key) { // Need to remove BEGIN/END PUBLIC KEY $lines = explode("\n", trim($pem_key)); @@ -2530,12 +2549,13 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { // success if ($mapper_key !== false) { // update user + $_SESSION['access_all_exception'] = '1'; mailbox('edit', 'mailbox_from_template', array( 'username' => $info['email'], 'name' => $info['name'], - 'template' => $iam_settings['templates'][$mapper_key], - 'hasAccess' => true + 'template' => $iam_settings['templates'][$mapper_key] )); + $_SESSION['access_all_exception'] = '0'; } set_user_loggedin_session($info['email']); $_SESSION['iam_token'] = $plain_token; @@ -2568,14 +2588,15 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { } // create mailbox + $_SESSION['access_all_exception'] = '1'; $create_res = mailbox('add', 'mailbox_from_template', array( 'domain' => explode('@', $info['email'])[1], 'local_part' => explode('@', $info['email'])[0], 'name' => $info['name'], 'authsource' => $iam_settings['authsource'], - 'template' => $iam_settings['templates'][$mapper_key], - 'hasAccess' => true + 'template' => $iam_settings['templates'][$mapper_key] )); + $_SESSION['access_all_exception'] = '0'; if (!$create_res){ clear_session(); $_SESSION['return'][] = array( diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index c63a0d37b..84bc3f169 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -1045,7 +1045,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $password2 = ''; $password_hashed = ''; } - if (!$_extra['hasAccess'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) { + if (!hasACLAccess("unlimited_quota") && $quota_m === 0) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1104,7 +1104,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } - if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['hasAccess']) { + if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1385,7 +1385,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } } - return mailbox('add', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess'])); + return mailbox('add', 'mailbox', $mailbox_attributes); break; case 'resource': $domain = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46); @@ -1753,7 +1753,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { else { $usernames = $_data['username']; } - if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1")) { + if (!hasACLAccess("tls_policy")) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1762,7 +1762,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } foreach ($usernames as $username) { - if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1807,7 +1807,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { else { $usernames = $_data['username']; } - if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1")) { + if (!hasACLAccess("quarantine_notification")) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1816,7 +1816,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } foreach ($usernames as $username) { - if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1866,7 +1866,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { else { $usernames = $_data['username']; } - if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1")) { + if (!hasACLAccess("quarantine_category")) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -1875,7 +1875,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return false; } foreach ($usernames as $username) { - if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -2938,12 +2938,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { if (!empty($is_now)) { $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active']; (int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']); - (int)$sogo_access = ((isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']); - (int)$imap_access = ((isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']); - (int)$pop3_access = ((isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']); - (int)$smtp_access = ((isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']); - (int)$sieve_access = ((isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']); - (int)$relayhost = ((isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") || $_extra['hasAccess']) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']); + (int)$sogo_access = (isset($_data['sogo_access']) && hasACLAccess("sogo_access")) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']); + (int)$imap_access = (isset($_data['imap_access']) && hasACLAccess("protocol_access")) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']); + (int)$pop3_access = (isset($_data['pop3_access']) && hasACLAccess("protocol_access")) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']); + (int)$smtp_access = (isset($_data['smtp_access']) && hasACLAccess("protocol_access")) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']); + (int)$sieve_access = (isset($_data['sieve_access']) && hasACLAccess("protocol_access")) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']); + (int)$relayhost = (isset($_data['relayhost']) && hasACLAccess("mailbox_relayhost")) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']); (int)$quota_m = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576); $name = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name']; $domain = $is_now['domain']; @@ -2970,7 +2970,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { continue; } // if already 0 == ok - if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) { + if (!hasACLAccess("unlimited_quota") && ($quota_m == 0 && $is_now['quota'] != 0)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -2978,7 +2978,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { ); return false; } - if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) { + if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -3005,7 +3005,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } $extra_acls = array(); if (isset($_data['extended_sender_acl'])) { - if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1")) { + if (!hasACLAccess("extend_sender_acl")) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -3505,7 +3505,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } $attribute_hash = sha1(json_encode($mbox_template_data["attributes"])); - $is_now = mailbox('get', 'mailbox_details', $_data['username'], array('hasAccess' => $_data['hasAccess'])); + $is_now = mailbox('get', 'mailbox_details', $_data['username']); $name = ltrim(rtrim($_data['name'], '>'), '<'); if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name) return true; @@ -3541,17 +3541,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } $mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576); - $result = mailbox('edit', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess'])); + $result = mailbox('edit', 'mailbox', $mailbox_attributes); if ($result === false) return $result; - $result = mailbox('edit', 'tls_policy', $tls_attributes, array('hasAccess' => $_data['hasAccess'])); + $result = mailbox('edit', 'tls_policy', $tls_attributes); if ($result === false) return $result; - $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes, array('hasAccess' => $_data['hasAccess'])); + $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes); if ($result === false) return $result; - $result = mailbox('edit', 'quarantine_category', $quarantine_attributes, array('hasAccess' => $_data['hasAccess'])); + $result = mailbox('edit', 'quarantine_category', $quarantine_attributes); if ($result === false) return $result; - $result = ratelimit('edit', 'mailbox', $ratelimit_attributes, array('hasAccess' => $_data['hasAccess'])); + $result = ratelimit('edit', 'mailbox', $ratelimit_attributes); if ($result === false) return $result; - $result = acl('edit', 'user', $acl_attributes, array('hasAccess' => $_data['hasAccess'])); + $result = acl('edit', 'user', $acl_attributes); if ($result === false) return $result; $_SESSION['return'] = array(); @@ -4090,7 +4090,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { case 'tls_policy': $attrs = array(); if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { - if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } } @@ -4109,7 +4109,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { case 'quarantine_notification': $attrs = array(); if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { - if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } } @@ -4125,7 +4125,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { case 'quarantine_category': $attrs = array(); if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { - if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data))) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } } @@ -4640,7 +4640,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { case 'domain_details': $domaindata = array(); $_data = idn_to_ascii(strtolower(trim($_data)), 0, INTL_IDNA_VARIANT_UTS46); - if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { + if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain"); @@ -4806,7 +4806,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { } break; case 'mailbox_details': - if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } $mailboxdata = array(); @@ -4969,7 +4969,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { return $mailboxdata; break; case 'mailbox_templates': - if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['hasAccess']) { + if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && $_SESSION['access_all_exception'] != "1") { return false; } $_data = (isset($_data)) ? intval($_data) : null; diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php index 5779ad77c..91ac999e2 100644 --- a/data/web/inc/functions.ratelimit.inc.php +++ b/data/web/inc/functions.ratelimit.inc.php @@ -4,7 +4,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) { $_data_log = $_data; switch ($_action) { case 'edit': - if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['hasAccess']) { + if (!hasACLAccess("ratelimit")) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), @@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) { ); continue; } - if (((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object) - || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) && !$_extra['hasAccess']) { + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object) + || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), @@ -139,7 +139,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) { case 'get': switch ($_scope) { case 'domain': - if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) && !$_extra['hasAccess']) { + if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } try { @@ -164,7 +164,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) { return false; break; case 'mailbox': - if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data && !$_extra['hasAccess']) + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) { return false; } diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php index b73ad2816..67bdd35b3 100644 --- a/data/web/inc/sessions.inc.php +++ b/data/web/inc/sessions.inc.php @@ -5,6 +5,8 @@ if (session_status() !== PHP_SESSION_ACTIVE) { ini_set('session.gc_maxlifetime', $SESSION_LIFETIME); } +$_SESSION['access_all_exception'] = '0'; + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") { if (session_status() !== PHP_SESSION_ACTIVE) {