From e0bda6ca6a2c78e94d01772a12f397628552b5e4 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 8 Mar 2024 14:05:37 +0100
Subject: [PATCH] [Web] prevent multiple dual-logins

---
 data/web/inc/triggers.inc.php | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index cd81f4c21..0e29011de 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -121,23 +121,26 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 
 if (isset($_SESSION['mailcow_cc_role']) && (isset($_SESSION['acl']['login_as']) && $_SESSION['acl']['login_as'] == "1")) {
 	if (isset($_GET["duallogin"])) {
-    $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
-    if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
-      if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
-        $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-        $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-        $_SESSION['mailcow_cc_username']    = $duallogin;
-        $_SESSION['mailcow_cc_role']        = "user";
-        header("Location: /user");
+    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+    if (!$is_dual) {
+      $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
+      if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
+        if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "user";
+          header("Location: /user");
+        }
       }
-    }
-    else {
-      if (!empty(domain_admin('details', $duallogin))) {
-        $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-        $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-        $_SESSION['mailcow_cc_username']    = $duallogin;
-        $_SESSION['mailcow_cc_role']        = "domainadmin";
-        header("Location: /user");
+      else {
+        if (!empty(domain_admin('details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "domainadmin";
+          header("Location: /user");
+        }
       }
     }
   }