[Web] Fix alias verification

master
andryyy 2021-06-09 11:03:48 +02:00
parent a01ba7efa3
commit 05c85b4140
No known key found for this signature in database
GPG Key ID: 8EC34FF2794E25EF
1 changed files with 2 additions and 2 deletions

View File

@ -589,6 +589,7 @@ function hasMailboxObjectAccess($username, $role, $object) {
} }
return false; return false;
} }
// does also verify mailboxes as a mailbox is a alias == goto
function hasAliasObjectAccess($username, $role, $object) { function hasAliasObjectAccess($username, $role, $object) {
global $pdo; global $pdo;
if (empty($username) || empty($role) || empty($object)) { if (empty($username) || empty($role) || empty($object)) {
@ -600,8 +601,7 @@ function hasAliasObjectAccess($username, $role, $object) {
if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') { if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {
return false; return false;
} }
// Do not verify mailboxes $stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object");
$stmt = $pdo->prepare("SELECT `domain` FROM `alias` WHERE `address` = :object AND `address` != `goto`");
$stmt->execute(array(':object' => $object)); $stmt->execute(array(':object' => $object));
$row = $stmt->fetch(PDO::FETCH_ASSOC); $row = $stmt->fetch(PDO::FETCH_ASSOC);
if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) { if (isset($row['domain']) && hasDomainAccess($username, $role, $row['domain'])) {