public/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-12-13 09:56:01 +00:00
Code Issues Releases Wiki Activity

[Web] Fix permission exception in IdP actions

Browse Source
This commit is contained in:
FreddleSpl0it
2025-01-15 12:48:10 +01:00
parent 69b03791a2
commit 8048e0a53c
8 changed files with 88 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
data/conf/phpfpm/crons/keycloak-sync.php
View File

@@ -188,6 +188,7 @@ while (true) {
continue;
}
$_SESSION['access_all_exception'] = '1';
if (!$row && intval($iam_settings['import_users']) == 1){
// mailbox user does not exist, create...
logMsg("info", "Creating user " . $user['email']);
@@ -196,8 +197,7 @@ while (true) {
'local_part' => explode('@', $user['email'])[0],
'name' => $user['firstName'] . " " . $user['lastName'],
'authsource' => 'keycloak',
'template' => $mbox_template,
'hasAccess' => true
'template' => $mbox_template
));
} else if ($row && intval($iam_settings['periodic_sync']) == 1) {
// mailbox user does exist, sync attribtues...
@@ -205,13 +205,13 @@ while (true) {
mailbox('edit', 'mailbox_from_template', array(
'username' => $user['email'],
'name' => $user['firstName'] . " " . $user['lastName'],
'template' => $mbox_template,
'hasAccess' => true
'template' => $mbox_template
));
} else {
// skip mailbox user
logMsg("info", "Skipping user " . $user['email']);
}
$_SESSION['access_all_exception'] = '0';
sleep(0.025);
}

8
data/conf/phpfpm/crons/ldap-sync.php
View File

@@ -152,6 +152,7 @@ foreach ($response as $user) {
continue;
}
$_SESSION['access_all_exception'] = '1';
if (!$row && intval($iam_settings['import_users']) == 1){
// mailbox user does not exist, create...
logMsg("info", "Creating user " . $user[$iam_settings['username_field']][0]);
@@ -160,8 +161,7 @@ foreach ($response as $user) {
'local_part' => explode('@', $user[$iam_settings['username_field']][0])[0],
'name' => $user['displayname'][0],
'authsource' => 'ldap',
'template' => $mbox_template,
'hasAccess' => true
'template' => $mbox_template
));
} else if ($row && intval($iam_settings['periodic_sync']) == 1) {
// mailbox user does exist, sync attribtues...
@@ -169,13 +169,13 @@ foreach ($response as $user) {
mailbox('edit', 'mailbox_from_template', array(
'username' => $user[$iam_settings['username_field']][0],
'name' => $user['displayname'][0],
'template' => $mbox_template,
'hasAccess' => true
'template' => $mbox_template
));
} else {
// skip mailbox user
logMsg("info", "Skipping user " . $user[$iam_settings['username_field']][0]);
}
$_SESSION['access_all_exception'] = '0';
sleep(0.025);
}

6
data/web/inc/functions.acl.inc.php
View File

@@ -23,8 +23,8 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
$acl_post[$acl_val] = 1;
}
// Users cannot change their own ACL
if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@@ -130,7 +130,7 @@ function acl($_action, $_scope = null, $_data = null, $_extra = null) {
case 'get':
switch ($_scope) {
case 'user':
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false;
}
$stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");

20
data/web/inc/functions.auth.inc.php
View File

@@ -457,12 +457,13 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
// login success
if ($mapper_key !== false) {
// update user
$_SESSION['access_all_exception'] = '1';
mailbox('edit', 'mailbox_from_template', array(
'username' => $user,
'name' => $user_res['name'],
'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
'template' => $iam_settings['templates'][$mapper_key]
));
$_SESSION['access_all_exception'] = '0';
}
return 'user';
}
@@ -472,14 +473,15 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
if ($mapper_key === false) return false;
// create mailbox
$_SESSION['access_all_exception'] = '1';
$create_res = mailbox('add', 'mailbox_from_template', array(
'domain' => explode('@', $user)[1],
'local_part' => explode('@', $user)[0],
'name' => $user_res['name'],
'authsource' => 'keycloak',
'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
'template' => $iam_settings['templates'][$mapper_key]
));
$_SESSION['access_all_exception'] = '0';
if (!$create_res){
clear_session();
return false;
@@ -556,12 +558,13 @@ function ldap_mbox_login($user, $pass, $extra = null){
// login success
if ($mapper_key !== false) {
// update user
$_SESSION['access_all_exception'] = '1';
mailbox('edit', 'mailbox_from_template', array(
'username' => $user,
'name' => $user_res['displayname'][0],
'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
'template' => $iam_settings['templates'][$mapper_key]
));
$_SESSION['access_all_exception'] = '0';
}
return 'user';
}
@@ -571,14 +574,15 @@ function ldap_mbox_login($user, $pass, $extra = null){
if ($mapper_key === false) return false;
// create mailbox
$_SESSION['access_all_exception'] = '1';
$create_res = mailbox('add', 'mailbox_from_template', array(
'domain' => explode('@', $user)[1],
'local_part' => explode('@', $user)[0],
'name' => $user_res['displayname'][0],
'authsource' => 'ldap',
'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
'template' => $iam_settings['templates'][$mapper_key]
));
$_SESSION['access_all_exception'] = '0';
if (!$create_res){
clear_session();
return false;

33
data/web/inc/functions.inc.php
View File

@@ -538,10 +538,13 @@ function logger($_data = false) {
}
function hasDomainAccess($username, $role, $domain) {
global $pdo;
if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
if (empty($domain) || !is_valid_domain_name($domain)) {
return false;
}
if (empty($domain) || !is_valid_domain_name($domain)) {
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
return true;
}
if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
return false;
}
if ($role != 'admin' && $role != 'domainadmin') {
@@ -577,6 +580,9 @@ function hasDomainAccess($username, $role, $domain) {
}
function hasMailboxObjectAccess($username, $role, $object) {
global $pdo;
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
return true;
}
if (empty($username) || empty($role) || empty($object)) {
return false;
}
@@ -600,6 +606,9 @@ function hasMailboxObjectAccess($username, $role, $object) {
// does also verify mailboxes as a mailbox is a alias == goto
function hasAliasObjectAccess($username, $role, $object) {
global $pdo;
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
return true;
}
if (empty($username) || empty($role) || empty($object)) {
return false;
}
@@ -617,6 +626,16 @@ function hasAliasObjectAccess($username, $role, $object) {
}
return false;
}
function hasACLAccess($type) {
if (isset($_SESSION['access_all_exception']) && $_SESSION['access_all_exception'] == "1") {
return true;
}
if (isset($_SESSION['acl'][$type]) && $_SESSION['acl'][$type] == "1") {
return true;
}
return false;
}
function pem_to_der($pem_key) {
// Need to remove BEGIN/END PUBLIC KEY
$lines = explode("\n", trim($pem_key));
@@ -2530,12 +2549,13 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
// success
if ($mapper_key !== false) {
// update user
$_SESSION['access_all_exception'] = '1';
mailbox('edit', 'mailbox_from_template', array(
'username' => $info['email'],
'name' => $info['name'],
'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
'template' => $iam_settings['templates'][$mapper_key]
));
$_SESSION['access_all_exception'] = '0';
}
set_user_loggedin_session($info['email']);
$_SESSION['iam_token'] = $plain_token;
@@ -2568,14 +2588,15 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
}
// create mailbox
$_SESSION['access_all_exception'] = '1';
$create_res = mailbox('add', 'mailbox_from_template', array(
'domain' => explode('@', $info['email'])[1],
'local_part' => explode('@', $info['email'])[0],
'name' => $info['name'],
'authsource' => $iam_settings['authsource'],
'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
'template' => $iam_settings['templates'][$mapper_key]
));
$_SESSION['access_all_exception'] = '0';
if (!$create_res){
clear_session();
$_SESSION['return'][] = array(

62
data/web/inc/functions.mailbox.inc.php
View File

@@ -1045,7 +1045,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$password2 = '';
$password_hashed = '';
}
if (!$_extra['hasAccess'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
if (!hasACLAccess("unlimited_quota") && $quota_m === 0) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1104,7 +1104,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
);
return false;
}
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['hasAccess']) {
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1385,7 +1385,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
}
}
return mailbox('add', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
return mailbox('add', 'mailbox', $mailbox_attributes);
break;
case 'resource':
$domain = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
@@ -1753,7 +1753,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
else {
$usernames = $_data['username'];
}
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1")) {
if (!hasACLAccess("tls_policy")) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1762,7 +1762,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false;
}
foreach ($usernames as $username) {
if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1807,7 +1807,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
else {
$usernames = $_data['username'];
}
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1")) {
if (!hasACLAccess("quarantine_notification")) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1816,7 +1816,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false;
}
foreach ($usernames as $username) {
if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1866,7 +1866,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
else {
$usernames = $_data['username'];
}
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1")) {
if (!hasACLAccess("quarantine_category")) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -1875,7 +1875,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false;
}
foreach ($usernames as $username) {
if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -2938,12 +2938,12 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
if (!empty($is_now)) {
$active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
(int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
(int)$sogo_access = ((isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
(int)$imap_access = ((isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
(int)$pop3_access = ((isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
(int)$smtp_access = ((isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
(int)$sieve_access = ((isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") || $_extra['hasAccess']) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
(int)$relayhost = ((isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") || $_extra['hasAccess']) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
(int)$sogo_access = (isset($_data['sogo_access']) && hasACLAccess("sogo_access")) ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
(int)$imap_access = (isset($_data['imap_access']) && hasACLAccess("protocol_access")) ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
(int)$pop3_access = (isset($_data['pop3_access']) && hasACLAccess("protocol_access")) ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
(int)$smtp_access = (isset($_data['smtp_access']) && hasACLAccess("protocol_access")) ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
(int)$sieve_access = (isset($_data['sieve_access']) && hasACLAccess("protocol_access")) ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
(int)$relayhost = (isset($_data['relayhost']) && hasACLAccess("mailbox_relayhost")) ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
(int)$quota_m = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
$name = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
$domain = $is_now['domain'];
@@ -2970,7 +2970,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
continue;
}
// if already 0 == ok
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) {
if (!hasACLAccess("unlimited_quota") && ($quota_m == 0 && $is_now['quota'] != 0)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -2978,7 +2978,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
);
return false;
}
if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -3005,7 +3005,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
}
$extra_acls = array();
if (isset($_data['extended_sender_acl'])) {
if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1")) {
if (!hasACLAccess("extend_sender_acl")) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -3505,7 +3505,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
}
$attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
$is_now = mailbox('get', 'mailbox_details', $_data['username'], array('hasAccess' => $_data['hasAccess']));
$is_now = mailbox('get', 'mailbox_details', $_data['username']);
$name = ltrim(rtrim($_data['name'], '>'), '<');
if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name)
return true;
@@ -3541,17 +3541,17 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
}
$mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
$result = mailbox('edit', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
$result = mailbox('edit', 'mailbox', $mailbox_attributes);
if ($result === false) return $result;
$result = mailbox('edit', 'tls_policy', $tls_attributes, array('hasAccess' => $_data['hasAccess']));
$result = mailbox('edit', 'tls_policy', $tls_attributes);
if ($result === false) return $result;
$result = mailbox('edit', 'quarantine_notification', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
$result = mailbox('edit', 'quarantine_notification', $quarantine_attributes);
if ($result === false) return $result;
$result = mailbox('edit', 'quarantine_category', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
$result = mailbox('edit', 'quarantine_category', $quarantine_attributes);
if ($result === false) return $result;
$result = ratelimit('edit', 'mailbox', $ratelimit_attributes, array('hasAccess' => $_data['hasAccess']));
$result = ratelimit('edit', 'mailbox', $ratelimit_attributes);
if ($result === false) return $result;
$result = acl('edit', 'user', $acl_attributes, array('hasAccess' => $_data['hasAccess']));
$result = acl('edit', 'user', $acl_attributes);
if ($result === false) return $result;
$_SESSION['return'] = array();
@@ -4090,7 +4090,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
case 'tls_policy':
$attrs = array();
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false;
}
}
@@ -4109,7 +4109,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
case 'quarantine_notification':
$attrs = array();
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false;
}
}
@@ -4125,7 +4125,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
case 'quarantine_category':
$attrs = array();
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data))) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false;
}
}
@@ -4640,7 +4640,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
case 'domain_details':
$domaindata = array();
$_data = idn_to_ascii(strtolower(trim($_data)), 0, INTL_IDNA_VARIANT_UTS46);
if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false;
}
$stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` WHERE `alias_domain` = :domain");
@@ -4806,7 +4806,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
}
break;
case 'mailbox_details':
if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false;
}
$mailboxdata = array();
@@ -4969,7 +4969,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return $mailboxdata;
break;
case 'mailbox_templates':
if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['hasAccess']) {
if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && $_SESSION['access_all_exception'] != "1") {
return false;
}
$_data = (isset($_data)) ? intval($_data) : null;

10
data/web/inc/functions.ratelimit.inc.php
View File

@@ -4,7 +4,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
$_data_log = $_data;
switch ($_action) {
case 'edit':
if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['hasAccess']) {
if (!hasACLAccess("ratelimit")) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
);
continue;
}
if (((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) && !$_extra['hasAccess']) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin' && $_SESSION['access_all_exception'] != '1')) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@@ -139,7 +139,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
case 'get':
switch ($_scope) {
case 'domain':
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) && !$_extra['hasAccess']) {
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false;
}
try {
@@ -164,7 +164,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
return false;
break;
case 'mailbox':
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data && !$_extra['hasAccess'])
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) {
return false;
}

2
data/web/inc/sessions.inc.php
View File

@@ -5,6 +5,8 @@ if (session_status() !== PHP_SESSION_ACTIVE) {
ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
}
$_SESSION['access_all_exception'] = '0';
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
if (session_status() !== PHP_SESSION_ACTIVE) {