Some slight changes in permission checks for future updates

master
andryyy 2017-01-03 10:39:32 +01:00
parent 2aace3d5cc
commit 8e07d29f0a
1 changed files with 32 additions and 3 deletions

View File

@ -8,11 +8,12 @@ function hasDomainAccess($username, $role, $domain) {
if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) { if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
return false; return false;
} }
if (!is_valid_domain_name($domain)) { if (!is_valid_domain_name($domain)) {
return false; return false;
} }
if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {
return false;
}
try { try {
$stmt = $pdo->prepare("SELECT `domain` FROM `domain_admins` $stmt = $pdo->prepare("SELECT `domain` FROM `domain_admins`
WHERE ( WHERE (
@ -2192,6 +2193,9 @@ function delete_domain_admin($postarray) {
function get_spam_score($username) { function get_spam_score($username) {
global $pdo; global $pdo;
$default = "5, 15"; $default = "5, 15";
if ($_SESSION['mailcow_cc_role'] != "user") {
return false;
}
if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
return $default; return $default;
} }
@ -2235,6 +2239,13 @@ function get_spam_score($username) {
function set_spam_score($postarray) { function set_spam_score($postarray) {
global $lang; global $lang;
global $pdo; global $pdo;
if ($_SESSION['mailcow_cc_role'] != "user") {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
);
return false;
}
$username = $_SESSION['mailcow_cc_username']; $username = $_SESSION['mailcow_cc_username'];
$lowspamlevel = explode(',', $postarray['score'])[0]; $lowspamlevel = explode(',', $postarray['score'])[0];
$highspamlevel = explode(',', $postarray['score'])[1]; $highspamlevel = explode(',', $postarray['score'])[1];
@ -2288,7 +2299,15 @@ function set_spam_score($postarray) {
function set_policy_list($postarray) { function set_policy_list($postarray) {
global $lang; global $lang;
global $pdo; global $pdo;
if ($_SESSION['mailcow_cc_role'] != "admin" &&
$_SESSION['mailcow_cc_role'] != "domainadmin" &&
$_SESSION['mailcow_cc_role'] != "user") {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
);
return false;
}
(isset($postarray['domain'])) ? $object = $postarray['domain'] : $object = $_SESSION['mailcow_cc_username']; (isset($postarray['domain'])) ? $object = $postarray['domain'] : $object = $_SESSION['mailcow_cc_username'];
($postarray['object_list'] == "bl") ? $object_list = "blacklist_from" : $object_list = "whitelist_from"; ($postarray['object_list'] == "bl") ? $object_list = "blacklist_from" : $object_list = "whitelist_from";
$object_from = preg_replace('/\.+/', '.', rtrim(preg_replace("/\.\*/", "*", trim(strtolower($postarray['object_from']))), '.')); $object_from = preg_replace('/\.+/', '.', rtrim(preg_replace("/\.\*/", "*", trim(strtolower($postarray['object_from']))), '.'));
@ -2389,6 +2408,13 @@ function set_policy_list($postarray) {
function set_tls_policy($postarray) { function set_tls_policy($postarray) {
global $lang; global $lang;
global $pdo; global $pdo;
if ($_SESSION['mailcow_cc_role'] != "user") {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => sprintf($lang['danger']['access_denied'])
);
return false;
}
isset($postarray['tls_in']) ? $tls_in = '1' : $tls_in = '0'; isset($postarray['tls_in']) ? $tls_in = '1' : $tls_in = '0';
isset($postarray['tls_out']) ? $tls_out = '1' : $tls_out = '0'; isset($postarray['tls_out']) ? $tls_out = '1' : $tls_out = '0';
$username = $_SESSION['mailcow_cc_username']; $username = $_SESSION['mailcow_cc_username'];
@ -2422,6 +2448,9 @@ function set_tls_policy($postarray) {
function get_tls_policy($username) { function get_tls_policy($username) {
global $lang; global $lang;
global $pdo; global $pdo;
if ($_SESSION['mailcow_cc_role'] != "user") {
return false;
}
if (!filter_var($username, FILTER_VALIDATE_EMAIL)) { if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
$_SESSION['return'] = array( $_SESSION['return'] = array(
'type' => 'danger', 'type' => 'danger',