From 8e07d29f0a43e3c44b7341aa4906f9dd81350c4c Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 3 Jan 2017 10:39:32 +0100
Subject: [PATCH] Some slight changes in permission checks for future updates

---
 data/web/inc/functions.inc.php | 35 +++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index ce1b374e..cfa3fdb4 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -8,11 +8,12 @@ function hasDomainAccess($username, $role, $domain) {
 	if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
 		return false;
 	}
-
 	if (!is_valid_domain_name($domain)) {
 		return false;
 	}
-
+	if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {
+		return false;
+	}
 	try {
 		$stmt = $pdo->prepare("SELECT `domain` FROM `domain_admins`
 			WHERE (
@@ -2192,6 +2193,9 @@ function delete_domain_admin($postarray) {
 function get_spam_score($username) {
 	global $pdo;
 	$default = "5, 15";
+	if ($_SESSION['mailcow_cc_role'] != "user") {
+		return false;
+	}
 	if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
 		return $default;
 	}
@@ -2235,6 +2239,13 @@ function get_spam_score($username) {
 function set_spam_score($postarray) {
 	global $lang;
 	global $pdo;
+	if ($_SESSION['mailcow_cc_role'] != "user") {
+		$_SESSION['return'] = array(
+			'type' => 'danger',
+			'msg' => sprintf($lang['danger']['access_denied'])
+		);
+		return false;
+	}
 	$username		= $_SESSION['mailcow_cc_username'];
 	$lowspamlevel	= explode(',', $postarray['score'])[0];
 	$highspamlevel	= explode(',', $postarray['score'])[1];
@@ -2288,7 +2299,15 @@ function set_spam_score($postarray) {
 function set_policy_list($postarray) {
 	global $lang;
 	global $pdo;
-
+	if ($_SESSION['mailcow_cc_role'] != "admin" &&
+		$_SESSION['mailcow_cc_role'] != "domainadmin" &&
+		$_SESSION['mailcow_cc_role'] != "user") {
+		$_SESSION['return'] = array(
+			'type' => 'danger',
+			'msg' => sprintf($lang['danger']['access_denied'])
+		);
+		return false;
+	}
 	(isset($postarray['domain'])) ? $object = $postarray['domain'] : $object = $_SESSION['mailcow_cc_username'];
 	($postarray['object_list'] == "bl") ? $object_list = "blacklist_from" : $object_list = "whitelist_from";
 	$object_from = preg_replace('/\.+/', '.', rtrim(preg_replace("/\.\*/", "*", trim(strtolower($postarray['object_from']))), '.'));
@@ -2389,6 +2408,13 @@ function set_policy_list($postarray) {
 function set_tls_policy($postarray) {
 	global $lang;
 	global $pdo;
+	if ($_SESSION['mailcow_cc_role'] != "user") {
+		$_SESSION['return'] = array(
+			'type' => 'danger',
+			'msg' => sprintf($lang['danger']['access_denied'])
+		);
+		return false;
+	}
 	isset($postarray['tls_in']) ? $tls_in = '1' : $tls_in = '0';
 	isset($postarray['tls_out']) ? $tls_out = '1' : $tls_out = '0';
 	$username = $_SESSION['mailcow_cc_username'];
@@ -2422,6 +2448,9 @@ function set_tls_policy($postarray) {
 function get_tls_policy($username) {
 	global $lang;
 	global $pdo;
+	if ($_SESSION['mailcow_cc_role'] != "user") {
+		return false;
+	}
 	if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
 		$_SESSION['return'] = array(
 			'type' => 'danger',