paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Web] Do not allow admin login to mailbox logged in as user while ALLOW_ADMIN_EMAIL_LOGIN is n

master
andryyy 2021-07-09 07:43:23 +02:00
parent 5a6d970794
commit 78270f9707
No known key found for this signature in database
GPG Key ID: 8EC34FF2794E25EF
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
data/web/sogo-auth.php
View File

@ -1,5 +1,10 @@
<?php <?php
$ALLOW_ADMIN_EMAIL_LOGIN = (preg_match(
"/^([yY][eE][sS]|[yY])+$/",
$_ENV["ALLOW_ADMIN_EMAIL_LOGIN"]
));
$session_var_user_allowed = 'sogo-sso-user-allowed'; $session_var_user_allowed = 'sogo-sso-user-allowed';
$session_var_pass = 'sogo-sso-pass'; $session_var_pass = 'sogo-sso-pass';
@ -29,6 +34,11 @@ elseif (isset($_GET['login'])) {
$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
// check permissions (if dual_login is active, deny sso when acl is not given) // check permissions (if dual_login is active, deny sso when acl is not given)
$login = html_entity_decode(rawurldecode($_GET["login"])); $login = html_entity_decode(rawurldecode($_GET["login"]));
if ($ALLOW_ADMIN_EMAIL_LOGIN === 0 && $is_dual === true) {
header('HTTP/1.0 403 Forbidden');
echo "Admin login is forbidden";
exit;
}
if (isset($_SESSION['mailcow_cc_role']) && if (isset($_SESSION['mailcow_cc_role']) &&
($_SESSION['acl']['login_as'] == "1" || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) { ($_SESSION['acl']['login_as'] == "1" || ($is_dual === false && $login == $_SESSION['mailcow_cc_username']))) {
if (filter_var($login, FILTER_VALIDATE_EMAIL)) { if (filter_var($login, FILTER_VALIDATE_EMAIL)) {