From 72f8c0a5bdad505b91f87ed608efb5f1ed6e82d0 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 12:48:19 +0200 Subject: [PATCH 01/17] [API] Added proper status codes to API --- data/web/json_api.php | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index ea4304af..9e38cbec 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -69,6 +69,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u // check for valid json if ($action != 'get' && $requestDecoded === null) { + http_response_code(400); echo json_encode(array( 'type' => 'error', 'msg' => 'Request body doesn\'t contain valid json!' @@ -112,9 +113,11 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'Task completed' )); if ($return === false) { + http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { + http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } @@ -202,6 +205,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u function process_get_return($data) { echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } + if ($action != 'get' ) { + http_response_code(400); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'Only GET method is allowed!' + )); + exit + } switch ($category) { case "rspamd": switch ($object) { @@ -1042,9 +1053,11 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'Task completed' )); if ($return === false) { + http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { + http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } @@ -1148,9 +1161,11 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'Task completed' )); if ($return === false) { + http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { + http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } @@ -1273,6 +1288,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u break; } break; + default; + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + unset($_POST); + die(); } } } From 796853cae5eab2920da550a1c52e6b35bcda0c24 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 12:50:58 +0200 Subject: [PATCH 02/17] [API] Replace exit with die(); --- data/web/json_api.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 9e38cbec..66a839b1 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -211,7 +211,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'Only GET method is allowed!' )); - exit + die(); } switch ($category) { case "rspamd": From c67e86756ff0b2e738d96b4223992912108752b5 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 12:54:06 +0200 Subject: [PATCH 03/17] [API] Better check for GET method --- data/web/json_api.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 66a839b1..90dce751 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -205,7 +205,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u function process_get_return($data) { echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } - if ($action != 'get' ) { + if ($_SERVER['REQUEST_METHOD'] === 'GET') { http_response_code(400); echo json_encode(array( 'type' => 'error', From 948137b4b4bbe0500af14d063cd5ab1648d27952 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 12:56:01 +0200 Subject: [PATCH 04/17] [API] Fixed only allow GET logic --- data/web/json_api.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 90dce751..852c2dec 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -205,7 +205,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u function process_get_return($data) { echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } - if ($_SERVER['REQUEST_METHOD'] === 'GET') { + if ($_SERVER['REQUEST_METHOD'] != 'GET') { http_response_code(400); echo json_encode(array( 'type' => 'error', From f3930492736f67b469e97b89890de9523d86ef77 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 14:36:10 +0200 Subject: [PATCH 05/17] [API] Make add and delete routes POST only --- data/web/json_api.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 852c2dec..5f3b0ea5 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -129,6 +129,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u $attr = (array)json_decode($_POST['attr'], true); unset($attr['csrf_token']); } + if ($_SERVER['REQUEST_METHOD'] != 'POST') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'Only POST method is allowed!' + )); switch ($category) { case "time_limited_alias": process_add_return(mailbox('add', 'time_limited_alias', $attr)); @@ -206,7 +212,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } if ($_SERVER['REQUEST_METHOD'] != 'GET') { - http_response_code(400); + http_response_code(405); echo json_encode(array( 'type' => 'error', 'msg' => 'Only GET method is allowed!' @@ -1068,6 +1074,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u else { $items = (array)json_decode($_POST['items'], true); } + if ($_SERVER['REQUEST_METHOD'] != 'POST') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'Only POST method is allowed!' + )); switch ($category) { case "alias": process_delete_return(mailbox('delete', 'alias', array('id' => $items))); From c4c9d2a3b4d3f5e5789a04c593f133a697b5601c Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 14:39:38 +0200 Subject: [PATCH 06/17] [API] Fixed broken if --- data/web/json_api.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 5f3b0ea5..e5643dc5 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -135,6 +135,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'Only POST method is allowed!' )); + } switch ($category) { case "time_limited_alias": process_add_return(mailbox('add', 'time_limited_alias', $attr)); @@ -1080,6 +1081,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'Only POST method is allowed!' )); + } switch ($category) { case "alias": process_delete_return(mailbox('delete', 'alias', array('id' => $items))); From 877c48db58696cc2ba3a9890a7d18dd0ed58f606 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 14:42:30 +0200 Subject: [PATCH 07/17] [API] Added missing die() --- data/web/json_api.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index e5643dc5..d358a619 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -135,6 +135,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'Only POST method is allowed!' )); + die(); } switch ($category) { case "time_limited_alias": @@ -1081,6 +1082,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'Only POST method is allowed!' )); + die(); } switch ($category) { case "alias": From ab298741e3ad2a12297096b13403f9df846ef4f3 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 15:04:25 +0200 Subject: [PATCH 08/17] [API] Added comments --- data/web/json_api.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index d358a619..2be9dbdb 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -129,11 +129,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u $attr = (array)json_decode($_POST['attr'], true); unset($attr['csrf_token']); } + // only allow POST requests to POST API endpoints if ($_SERVER['REQUEST_METHOD'] != 'POST') { http_response_code(405); echo json_encode(array( 'type' => 'error', - 'msg' => 'Only POST method is allowed!' + 'msg' => 'only POST method is allowed' )); die(); } @@ -213,11 +214,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u function process_get_return($data) { echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); } + // only allow GET requests to GET API endpoints if ($_SERVER['REQUEST_METHOD'] != 'GET') { http_response_code(405); echo json_encode(array( 'type' => 'error', - 'msg' => 'Only GET method is allowed!' + 'msg' => 'only GET method is allowed' )); die(); } @@ -1076,11 +1078,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u else { $items = (array)json_decode($_POST['items'], true); } + // only allow POST requests to POST API endpoints if ($_SERVER['REQUEST_METHOD'] != 'POST') { http_response_code(405); echo json_encode(array( 'type' => 'error', - 'msg' => 'Only POST method is allowed!' + 'msg' => 'only POST method is allowed' )); die(); } @@ -1304,6 +1307,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u break; } break; + // return no route found if no case is matched default; http_response_code(404); echo json_encode(array( From 416d5a12f8e55cef0c83b0a959dc407af250c0fb Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 15:06:08 +0200 Subject: [PATCH 09/17] [API] Unset POST when only GET is allowed --- data/web/json_api.php | 1 + 1 file changed, 1 insertion(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 2be9dbdb..64d6304b 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -221,6 +221,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'only GET method is allowed' )); + unset($_POST); die(); } switch ($category) { From 5fa456770f054f9312163f002e42457ad372bd25 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 17:25:56 +0200 Subject: [PATCH 10/17] [API] Removed hard coded status code 200 --- data/web/json_api.php | 6 ------ 1 file changed, 6 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 64d6304b..46e65519 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -113,11 +113,9 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'Task completed' )); if ($return === false) { - http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { - http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } @@ -1064,11 +1062,9 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'Task completed' )); if ($return === false) { - http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { - http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } @@ -1181,11 +1177,9 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'Task completed' )); if ($return === false) { - http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_failure; } else { - http_response_code(200); echo isset($_SESSION['return']) ? json_encode($_SESSION['return']) : $generic_success; } } From b9c244b746f79b148d919174cc5c6f8d4b857f97 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 18:14:27 +0200 Subject: [PATCH 11/17] [API] Only allow POST method for edit apis --- data/web/json_api.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 46e65519..88fa3fdb 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -1192,6 +1192,15 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u unset($attr['csrf_token']); $items = isset($_POST['items']) ? (array)json_decode($_POST['items'], true) : null; } + // only allow POST requests to POST API endpoints + if ($_SERVER['REQUEST_METHOD'] != 'POST') { + http_response_code(405); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'only POST method is allowed' + )); + die(); + } switch ($category) { case "bcc": process_edit_return(bcc('edit', array_merge(array('id' => $items), $attr))); From 2da55296b5eaed48bf4264b0a94fbfa6de6251c2 Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 20:52:09 +0200 Subject: [PATCH 12/17] [API] Catch more cases where no api route exists --- data/web/json_api.php | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 88fa3fdb..63da426c 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -206,6 +206,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u case "tls-policy-map": process_add_return(tls_policy_maps('add', $attr)); break; + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + unset($_POST); + die(); } break; case "get": @@ -1047,8 +1055,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u } break; default: - echo '{}'; - break; + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + die(); } break; case "delete": @@ -1164,6 +1176,14 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u case "rlhash": echo ratelimit('delete', null, implode($items)); break; + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + unset($_POST); + die(); } break; case "edit": @@ -1309,10 +1329,18 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u process_edit_return(edit_user_account($attr)); } break; + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + unset($_POST); + die(); } break; // return no route found if no case is matched - default; + default: http_response_code(404); echo json_encode(array( 'type' => 'error', From 08350d9a95ffa9c3d8ac445c275bca6a1c581fba Mon Sep 17 00:00:00 2001 From: ntimo Date: Thu, 3 Oct 2019 20:58:56 +0200 Subject: [PATCH 13/17] [API] Added missing route not found error for /get/logs/ --- data/web/json_api.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 63da426c..7dd7feaa 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -589,6 +589,13 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; + default: + http_response_code(404); + echo json_encode(array( + 'type' => 'error', + 'msg' => 'route not found' + )); + die(); } break; case "mailbox": From 6372df21feb51d783cdbd9bf0aff6f1f645e85b6 Mon Sep 17 00:00:00 2001 From: ntimo Date: Fri, 4 Oct 2019 08:37:30 +0200 Subject: [PATCH 14/17] [API] Replaced die(); with exit(); due to code conventions --- data/web/json_api.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 7dd7feaa..0753c74a 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -134,7 +134,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'only POST method is allowed' )); - die(); + exit(); } switch ($category) { case "time_limited_alias": @@ -213,7 +213,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'route not found' )); unset($_POST); - die(); + exit(); } break; case "get": @@ -228,7 +228,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'only GET method is allowed' )); unset($_POST); - die(); + exit(); } switch ($category) { case "rspamd": @@ -595,7 +595,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'route not found' )); - die(); + exit(); } break; case "mailbox": @@ -1067,7 +1067,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'route not found' )); - die(); + exit(); } break; case "delete": @@ -1101,7 +1101,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'only POST method is allowed' )); - die(); + exit(); } switch ($category) { case "alias": @@ -1190,7 +1190,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'route not found' )); unset($_POST); - die(); + exit(); } break; case "edit": @@ -1226,7 +1226,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'only POST method is allowed' )); - die(); + exit(); } switch ($category) { case "bcc": @@ -1343,7 +1343,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'route not found' )); unset($_POST); - die(); + exit(); } break; // return no route found if no case is matched @@ -1354,7 +1354,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'msg' => 'route not found' )); unset($_POST); - die(); + exit(); } } } From 2c7e9f49d5a8a153107e7c311f17258dd4407e63 Mon Sep 17 00:00:00 2001 From: ntimo Date: Fri, 4 Oct 2019 09:01:31 +0200 Subject: [PATCH 15/17] [API] Added comments to defaults --- data/web/json_api.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 0753c74a..0efc0bcd 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -206,6 +206,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u case "tls-policy-map": process_add_return(tls_policy_maps('add', $attr)); break; + // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( @@ -589,6 +590,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u } echo (isset($logs) && !empty($logs)) ? json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT) : '{}'; break; + // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( @@ -1061,6 +1063,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u break; } break; + // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( @@ -1183,6 +1186,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u case "rlhash": echo ratelimit('delete', null, implode($items)); break; + // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( @@ -1336,6 +1340,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u process_edit_return(edit_user_account($attr)); } break; + // return no route found if no case is matched default: http_response_code(404); echo json_encode(array( From 8a87dd4254a0e6694041a307d6edd35d80c6700b Mon Sep 17 00:00:00 2001 From: ntimo Date: Sat, 5 Oct 2019 18:14:36 +0200 Subject: [PATCH 16/17] [API] Removed unsets that are not needed --- data/web/json_api.php | 5 ----- 1 file changed, 5 deletions(-) diff --git a/data/web/json_api.php b/data/web/json_api.php index 0efc0bcd..4c490c0d 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -213,7 +213,6 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'route not found' )); - unset($_POST); exit(); } break; @@ -228,7 +227,6 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'only GET method is allowed' )); - unset($_POST); exit(); } switch ($category) { @@ -1193,7 +1191,6 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'route not found' )); - unset($_POST); exit(); } break; @@ -1347,7 +1344,6 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'route not found' )); - unset($_POST); exit(); } break; @@ -1358,7 +1354,6 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u 'type' => 'error', 'msg' => 'route not found' )); - unset($_POST); exit(); } } From af13ae455cdc62a6f64e9a493768f7a81e8885c6 Mon Sep 17 00:00:00 2001 From: ntimo Date: Tue, 8 Oct 2019 19:30:01 +0200 Subject: [PATCH 17/17] [API] Invalidate session after api call is done --- data/web/json_api.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/data/web/json_api.php b/data/web/json_api.php index 4c490c0d..d59cfe56 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -1357,4 +1357,9 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u exit(); } } + if ($_SESSION['mailcow_cc_api'] === true) { + if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) { + unset($_SESSION['return']); + } + } }