mirror of
https://github.com/mailcow/mailcow-dockerized.git
synced 2025-12-13 09:56:01 +00:00
[Web] Fix permission exception in IdP actions
This commit is contained in:
FreddleSpl0it
@@ -188,6 +188,7 @@ while (true) {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
if (!$row && intval($iam_settings['import_users']) == 1){
|
if (!$row && intval($iam_settings['import_users']) == 1){
|
||||||
// mailbox user does not exist, create...
|
// mailbox user does not exist, create...
|
||||||
logMsg("info", "Creating user " . $user['email']);
|
logMsg("info", "Creating user " . $user['email']);
|
||||||
@@ -196,8 +197,7 @@ while (true) {
|
|||||||
'local_part' => explode('@', $user['email'])[0],
|
'local_part' => explode('@', $user['email'])[0],
|
||||||
'name' => $user['firstName'] . " " . $user['lastName'],
|
'name' => $user['firstName'] . " " . $user['lastName'],
|
||||||
'authsource' => 'keycloak',
|
'authsource' => 'keycloak',
|
||||||
'template' => $mbox_template,
|
'template' => $mbox_template
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
} else if ($row && intval($iam_settings['periodic_sync']) == 1) {
|
} else if ($row && intval($iam_settings['periodic_sync']) == 1) {
|
||||||
// mailbox user does exist, sync attribtues...
|
// mailbox user does exist, sync attribtues...
|
||||||
@@ -205,13 +205,13 @@ while (true) {
|
|||||||
mailbox('edit', 'mailbox_from_template', array(
|
mailbox('edit', 'mailbox_from_template', array(
|
||||||
'username' => $user['email'],
|
'username' => $user['email'],
|
||||||
'name' => $user['firstName'] . " " . $user['lastName'],
|
'name' => $user['firstName'] . " " . $user['lastName'],
|
||||||
'template' => $mbox_template,
|
'template' => $mbox_template
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
} else {
|
} else {
|
||||||
// skip mailbox user
|
// skip mailbox user
|
||||||
logMsg("info", "Skipping user " . $user['email']);
|
logMsg("info", "Skipping user " . $user['email']);
|
||||||
}
|
}
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
|
|
||||||
sleep(0.025);
|
sleep(0.025);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -152,6 +152,7 @@ foreach ($response as $user) {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
if (!$row && intval($iam_settings['import_users']) == 1){
|
if (!$row && intval($iam_settings['import_users']) == 1){
|
||||||
// mailbox user does not exist, create...
|
// mailbox user does not exist, create...
|
||||||
logMsg("info", "Creating user " . $user[$iam_settings['username_field']][0]);
|
logMsg("info", "Creating user " . $user[$iam_settings['username_field']][0]);
|
||||||
@@ -160,8 +161,7 @@ foreach ($response as $user) {
|
|||||||
'local_part' => explode('@', $user[$iam_settings['username_field']][0])[0],
|
'local_part' => explode('@', $user[$iam_settings['username_field']][0])[0],
|
||||||
'name' => $user['displayname'][0],
|
'name' => $user['displayname'][0],
|
||||||
'authsource' => 'ldap',
|
'authsource' => 'ldap',
|
||||||
'template' => $mbox_template,
|
'template' => $mbox_template
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
} else if ($row && intval($iam_settings['periodic_sync']) == 1) {
|
} else if ($row && intval($iam_settings['periodic_sync']) == 1) {
|
||||||
// mailbox user does exist, sync attribtues...
|
// mailbox user does exist, sync attribtues...
|
||||||
@@ -169,13 +169,13 @@ foreach ($response as $user) {
|
|||||||
mailbox('edit', 'mailbox_from_template', array(
|
mailbox('edit', 'mailbox_from_template', array(
|
||||||
'username' => $user[$iam_settings['username_field']][0],
|
'username' => $user[$iam_settings['username_field']][0],
|
||||||
'name' => $user['displayname'][0],
|
'name' => $user['displayname'][0],
|
||||||
'template' => $mbox_template,
|
'template' => $mbox_template
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
} else {
|
} else {
|
||||||
// skip mailbox user
|
// skip mailbox user
|
||||||
logMsg("info", "Skipping user " . $user[$iam_settings['username_field']][0]);
|
logMsg("info", "Skipping user " . $user[$iam_settings['username_field']][0]);
|
||||||
}
|
}
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
|
|
||||||
sleep(0.025);
|
sleep(0.025);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -23,8 +23,8 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
|
|||||||
$acl_post[$acl_val] = 1;
|
$acl_post[$acl_val] = 1;
|
||||||
}
|
}
|
||||||
// Users cannot change their own ACL
|
// Users cannot change their own ACL
|
||||||
if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
|
||||||
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) {
|
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
|
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
|
||||||
@@ -130,7 +130,7 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
|
|||||||
case 'get':
|
case 'get':
|
||||||
switch ($_scope) {
|
switch ($_scope) {
|
||||||
case 'user':
|
case 'user':
|
||||||
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");
|
$stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");
|
||||||
|
|||||||
@@ -457,12 +457,13 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
|
|||||||
// login success
|
// login success
|
||||||
if ($mapper_key !== false) {
|
if ($mapper_key !== false) {
|
||||||
// update user
|
// update user
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
mailbox('edit', 'mailbox_from_template', array(
|
mailbox('edit', 'mailbox_from_template', array(
|
||||||
'username' => $user,
|
'username' => $user,
|
||||||
'name' => $user_res['name'],
|
'name' => $user_res['name'],
|
||||||
'template' => $iam_settings['templates'][$mapper_key],
|
'template' => $iam_settings['templates'][$mapper_key]
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
}
|
}
|
||||||
return 'user';
|
return 'user';
|
||||||
}
|
}
|
||||||
@@ -472,14 +473,15 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
|
|||||||
if ($mapper_key === false) return false;
|
if ($mapper_key === false) return false;
|
||||||
|
|
||||||
// create mailbox
|
// create mailbox
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
$create_res = mailbox('add', 'mailbox_from_template', array(
|
$create_res = mailbox('add', 'mailbox_from_template', array(
|
||||||
'domain' => explode('@', $user)[1],
|
'domain' => explode('@', $user)[1],
|
||||||
'local_part' => explode('@', $user)[0],
|
'local_part' => explode('@', $user)[0],
|
||||||
'name' => $user_res['name'],
|
'name' => $user_res['name'],
|
||||||
'authsource' => 'keycloak',
|
'authsource' => 'keycloak',
|
||||||
'template' => $iam_settings['templates'][$mapper_key],
|
'template' => $iam_settings['templates'][$mapper_key]
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
if (!$create_res){
|
if (!$create_res){
|
||||||
clear_session();
|
clear_session();
|
||||||
return false;
|
return false;
|
||||||
@@ -556,12 +558,13 @@ function ldap_mbox_login($user, $pass, $extra = null){
|
|||||||
// login success
|
// login success
|
||||||
if ($mapper_key !== false) {
|
if ($mapper_key !== false) {
|
||||||
// update user
|
// update user
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
mailbox('edit', 'mailbox_from_template', array(
|
mailbox('edit', 'mailbox_from_template', array(
|
||||||
'username' => $user,
|
'username' => $user,
|
||||||
'name' => $user_res['displayname'][0],
|
'name' => $user_res['displayname'][0],
|
||||||
'template' => $iam_settings['templates'][$mapper_key],
|
'template' => $iam_settings['templates'][$mapper_key]
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
}
|
}
|
||||||
return 'user';
|
return 'user';
|
||||||
}
|
}
|
||||||
@@ -571,14 +574,15 @@ function ldap_mbox_login($user, $pass, $extra = null){
|
|||||||
if ($mapper_key === false) return false;
|
if ($mapper_key === false) return false;
|
||||||
|
|
||||||
// create mailbox
|
// create mailbox
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
$create_res = mailbox('add', 'mailbox_from_template', array(
|
$create_res = mailbox('add', 'mailbox_from_template', array(
|
||||||
'domain' => explode('@', $user)[1],
|
'domain' => explode('@', $user)[1],
|
||||||
'local_part' => explode('@', $user)[0],
|
'local_part' => explode('@', $user)[0],
|
||||||
'name' => $user_res['displayname'][0],
|
'name' => $user_res['displayname'][0],
|
||||||
'authsource' => 'ldap',
|
'authsource' => 'ldap',
|
||||||
'template' => $iam_settings['templates'][$mapper_key],
|
'template' => $iam_settings['templates'][$mapper_key]
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
if (!$create_res){
|
if (!$create_res){
|
||||||
clear_session();
|
clear_session();
|
||||||
return false;
|
return false;
|
||||||
|
|||||||
@@ -538,10 +538,13 @@ function logger($_data = false) {
|
|||||||
}
|
}
|
||||||
function hasDomainAccess($username, $role, $domain) {
|
function hasDomainAccess($username, $role, $domain) {
|
||||||
global $pdo;
|
global $pdo;
|
||||||
if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
|
if (empty($domain) || !is_valid_domain_name($domain)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (empty($domain) || !is_valid_domain_name($domain)) {
|
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ($role != 'admin' && $role != 'domainadmin') {
|
if ($role != 'admin' && $role != 'domainadmin') {
|
||||||
@@ -577,6 +580,9 @@ function hasDomainAccess($username, $role, $domain) {
|
|||||||
}
|
}
|
||||||
function hasMailboxObjectAccess($username, $role, $object) {
|
function hasMailboxObjectAccess($username, $role, $object) {
|
||||||
global $pdo;
|
global $pdo;
|
||||||
|
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
if (empty($username) || empty($role) || empty($object)) {
|
if (empty($username) || empty($role) || empty($object)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@@ -600,6 +606,9 @@ function hasMailboxObjectAccess($username, $role, $object) {
|
|||||||
// does also verify mailboxes as a mailbox is a alias == goto
|
// does also verify mailboxes as a mailbox is a alias == goto
|
||||||
function hasAliasObjectAccess($username, $role, $object) {
|
function hasAliasObjectAccess($username, $role, $object) {
|
||||||
global $pdo;
|
global $pdo;
|
||||||
|
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
if (empty($username) || empty($role) || empty($object)) {
|
if (empty($username) || empty($role) || empty($object)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@@ -617,6 +626,16 @@ function hasAliasObjectAccess($username, $role, $object) {
|
|||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
function hasACLAccess($type) {
|
||||||
|
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (isset($_SESSION['acl'][$type]) && $_SESSION['acl'][$type] == "1") {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
function pem_to_der($pem_key) {
|
function pem_to_der($pem_key) {
|
||||||
// Need to remove BEGIN/END PUBLIC KEY
|
// Need to remove BEGIN/END PUBLIC KEY
|
||||||
$lines = explode("\n", trim($pem_key));
|
$lines = explode("\n", trim($pem_key));
|
||||||
@@ -2530,12 +2549,13 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
|
|||||||
// success
|
// success
|
||||||
if ($mapper_key !== false) {
|
if ($mapper_key !== false) {
|
||||||
// update user
|
// update user
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
mailbox('edit', 'mailbox_from_template', array(
|
mailbox('edit', 'mailbox_from_template', array(
|
||||||
'username' => $info['email'],
|
'username' => $info['email'],
|
||||||
'name' => $info['name'],
|
'name' => $info['name'],
|
||||||
'template' => $iam_settings['templates'][$mapper_key],
|
'template' => $iam_settings['templates'][$mapper_key]
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
}
|
}
|
||||||
set_user_loggedin_session($info['email']);
|
set_user_loggedin_session($info['email']);
|
||||||
$_SESSION['iam_token'] = $plain_token;
|
$_SESSION['iam_token'] = $plain_token;
|
||||||
@@ -2568,14 +2588,15 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// create mailbox
|
// create mailbox
|
||||||
|
$_SESSION['access_all_exception'] = '1';
|
||||||
$create_res = mailbox('add', 'mailbox_from_template', array(
|
$create_res = mailbox('add', 'mailbox_from_template', array(
|
||||||
'domain' => explode('@', $info['email'])[1],
|
'domain' => explode('@', $info['email'])[1],
|
||||||
'local_part' => explode('@', $info['email'])[0],
|
'local_part' => explode('@', $info['email'])[0],
|
||||||
'name' => $info['name'],
|
'name' => $info['name'],
|
||||||
'authsource' => $iam_settings['authsource'],
|
'authsource' => $iam_settings['authsource'],
|
||||||
'template' => $iam_settings['templates'][$mapper_key],
|
'template' => $iam_settings['templates'][$mapper_key]
|
||||||
'hasAccess' => true
|
|
||||||
));
|
));
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
if (!$create_res){
|
if (!$create_res){
|
||||||
clear_session();
|
clear_session();
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
|
|||||||
@@ -1045,7 +1045,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
$password2 = '';
|
$password2 = '';
|
||||||
$password_hashed = '';
|
$password_hashed = '';
|
||||||
}
|
}
|
||||||
if (!$_extra['hasAccess'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
|
if (!hasACLAccess("unlimited_quota") && $quota_m === 0) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -1104,7 +1104,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
);
|
);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['hasAccess']) {
|
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -1385,7 +1385,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return mailbox('add', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
|
return mailbox('add', 'mailbox', $mailbox_attributes);
|
||||||
break;
|
break;
|
||||||
case 'resource':
|
case 'resource':
|
||||||
$domain = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
|
$domain = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
|
||||||
@@ -1753,7 +1753,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
else {
|
else {
|
||||||
$usernames = $_data['username'];
|
$usernames = $_data['username'];
|
||||||
}
|
}
|
||||||
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1")) {
|
if (!hasACLAccess("tls_policy")) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -1762,7 +1762,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
foreach ($usernames as $username) {
|
foreach ($usernames as $username) {
|
||||||
if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -1807,7 +1807,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
else {
|
else {
|
||||||
$usernames = $_data['username'];
|
$usernames = $_data['username'];
|
||||||
}
|
}
|
||||||
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1")) {
|
if (!hasACLAccess("quarantine_notification")) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -1816,7 +1816,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
foreach ($usernames as $username) {
|
foreach ($usernames as $username) {
|
||||||
if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -1866,7 +1866,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
else {
|
else {
|
||||||
$usernames = $_data['username'];
|
$usernames = $_data['username'];
|
||||||
}
|
}
|
||||||
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1")) {
|
if (!hasACLAccess("quarantine_category")) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -1875,7 +1875,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
foreach ($usernames as $username) {
|
foreach ($usernames as $username) {
|
||||||
if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -2938,12 +2938,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
if (!empty($is_now)) {
|
if (!empty($is_now)) {
|
||||||
$active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
|
$active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
|
||||||
(int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
|
(int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
|
||||||
(int)$sogo_access = ((isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
|
(int)$sogo_access = (isset($_data['sogo_access']) && hasACLAccess("sogo_access")) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
|
||||||
(int)$imap_access = ((isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
|
(int)$imap_access = (isset($_data['imap_access']) && hasACLAccess("protocol_access")) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
|
||||||
(int)$pop3_access = ((isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
|
(int)$pop3_access = (isset($_data['pop3_access']) && hasACLAccess("protocol_access")) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
|
||||||
(int)$smtp_access = ((isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
|
(int)$smtp_access = (isset($_data['smtp_access']) && hasACLAccess("protocol_access")) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
|
||||||
(int)$sieve_access = ((isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
|
(int)$sieve_access = (isset($_data['sieve_access']) && hasACLAccess("protocol_access")) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
|
||||||
(int)$relayhost = ((isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") || $_extra['hasAccess']) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
|
(int)$relayhost = (isset($_data['relayhost']) && hasACLAccess("mailbox_relayhost")) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
|
||||||
(int)$quota_m = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
|
(int)$quota_m = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
|
||||||
$name = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
|
$name = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
|
||||||
$domain = $is_now['domain'];
|
$domain = $is_now['domain'];
|
||||||
@@ -2970,7 +2970,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
// if already 0 == ok
|
// if already 0 == ok
|
||||||
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) {
|
if (!hasACLAccess("unlimited_quota") && ($quota_m == 0 && $is_now['quota'] != 0)) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -2978,7 +2978,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
);
|
);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
|
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -3005,7 +3005,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
}
|
}
|
||||||
$extra_acls = array();
|
$extra_acls = array();
|
||||||
if (isset($_data['extended_sender_acl'])) {
|
if (isset($_data['extended_sender_acl'])) {
|
||||||
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1")) {
|
if (!hasACLAccess("extend_sender_acl")) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -3505,7 +3505,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
|
$attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
|
||||||
$is_now = mailbox('get', 'mailbox_details', $_data['username'], array('hasAccess' => $_data['hasAccess']));
|
$is_now = mailbox('get', 'mailbox_details', $_data['username']);
|
||||||
$name = ltrim(rtrim($_data['name'], '>'), '<');
|
$name = ltrim(rtrim($_data['name'], '>'), '<');
|
||||||
if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name)
|
if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name)
|
||||||
return true;
|
return true;
|
||||||
@@ -3541,17 +3541,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
|
$mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
|
||||||
$result = mailbox('edit', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
|
$result = mailbox('edit', 'mailbox', $mailbox_attributes);
|
||||||
if ($result === false) return $result;
|
if ($result === false) return $result;
|
||||||
$result = mailbox('edit', 'tls_policy', $tls_attributes, array('hasAccess' => $_data['hasAccess']));
|
$result = mailbox('edit', 'tls_policy', $tls_attributes);
|
||||||
if ($result === false) return $result;
|
if ($result === false) return $result;
|
||||||
$result = mailbox('edit', 'quarantine_notification', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
|
$result = mailbox('edit', 'quarantine_notification', $quarantine_attributes);
|
||||||
if ($result === false) return $result;
|
if ($result === false) return $result;
|
||||||
$result = mailbox('edit', 'quarantine_category', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
|
$result = mailbox('edit', 'quarantine_category', $quarantine_attributes);
|
||||||
if ($result === false) return $result;
|
if ($result === false) return $result;
|
||||||
$result = ratelimit('edit', 'mailbox', $ratelimit_attributes, array('hasAccess' => $_data['hasAccess']));
|
$result = ratelimit('edit', 'mailbox', $ratelimit_attributes);
|
||||||
if ($result === false) return $result;
|
if ($result === false) return $result;
|
||||||
$result = acl('edit', 'user', $acl_attributes, array('hasAccess' => $_data['hasAccess']));
|
$result = acl('edit', 'user', $acl_attributes);
|
||||||
if ($result === false) return $result;
|
if ($result === false) return $result;
|
||||||
|
|
||||||
$_SESSION['return'] = array();
|
$_SESSION['return'] = array();
|
||||||
@@ -4090,7 +4090,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
case 'tls_policy':
|
case 'tls_policy':
|
||||||
$attrs = array();
|
$attrs = array();
|
||||||
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
|
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
|
||||||
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -4109,7 +4109,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
case 'quarantine_notification':
|
case 'quarantine_notification':
|
||||||
$attrs = array();
|
$attrs = array();
|
||||||
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
|
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
|
||||||
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -4125,7 +4125,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
case 'quarantine_category':
|
case 'quarantine_category':
|
||||||
$attrs = array();
|
$attrs = array();
|
||||||
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
|
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
|
||||||
if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data))) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -4640,7 +4640,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
case 'domain_details':
|
case 'domain_details':
|
||||||
$domaindata = array();
|
$domaindata = array();
|
||||||
$_data = idn_to_ascii(strtolower(trim($_data)), 0, INTL_IDNA_VARIANT_UTS46);
|
$_data = idn_to_ascii(strtolower(trim($_data)), 0, INTL_IDNA_VARIANT_UTS46);
|
||||||
if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain");
|
$stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain");
|
||||||
@@ -4806,7 +4806,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 'mailbox_details':
|
case 'mailbox_details':
|
||||||
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$mailboxdata = array();
|
$mailboxdata = array();
|
||||||
@@ -4969,7 +4969,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
|
|||||||
return $mailboxdata;
|
return $mailboxdata;
|
||||||
break;
|
break;
|
||||||
case 'mailbox_templates':
|
case 'mailbox_templates':
|
||||||
if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['hasAccess']) {
|
if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && $_SESSION['access_all_exception'] != "1") {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
$_data = (isset($_data)) ? intval($_data) : null;
|
$_data = (isset($_data)) ? intval($_data) : null;
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
|
|||||||
$_data_log = $_data;
|
$_data_log = $_data;
|
||||||
switch ($_action) {
|
switch ($_action) {
|
||||||
case 'edit':
|
case 'edit':
|
||||||
if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['hasAccess']) {
|
if (!hasACLAccess("ratelimit")) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
|
||||||
@@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
|
|||||||
);
|
);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
|
||||||
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) && !$_extra['hasAccess']) {
|
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) {
|
||||||
$_SESSION['return'][] = array(
|
$_SESSION['return'][] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
|
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
|
||||||
@@ -139,7 +139,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
|
|||||||
case 'get':
|
case 'get':
|
||||||
switch ($_scope) {
|
switch ($_scope) {
|
||||||
case 'domain':
|
case 'domain':
|
||||||
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) && !$_extra['hasAccess']) {
|
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
@@ -164,7 +164,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
|
|||||||
return false;
|
return false;
|
||||||
break;
|
break;
|
||||||
case 'mailbox':
|
case 'mailbox':
|
||||||
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data && !$_extra['hasAccess'])
|
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)
|
||||||
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
|
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,6 +5,8 @@ if (session_status() !== PHP_SESSION_ACTIVE) {
|
|||||||
ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
|
ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$_SESSION['access_all_exception'] = '0';
|
||||||
|
|
||||||
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
|
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
|
||||||
strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
|
strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
|
||||||
if (session_status() !== PHP_SESSION_ACTIVE) {
|
if (session_status() !== PHP_SESSION_ACTIVE) {
|
||||||
|
|||||||
Reference in New Issue
Block a user