From aece2558dfebaa2eac8b70d18ead0f8717fd19b0 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 21 Dec 2019 22:25:09 +0100 Subject: [PATCH] [Web] Various fixes for app passwd functions --- data/web/inc/functions.app_passwd.inc.php | 93 +++++++++++------------ data/web/json_api.php | 9 +-- 2 files changed, 46 insertions(+), 56 deletions(-) diff --git a/data/web/inc/functions.app_passwd.inc.php b/data/web/inc/functions.app_passwd.inc.php index f960198c..7c779b0a 100644 --- a/data/web/inc/functions.app_passwd.inc.php +++ b/data/web/inc/functions.app_passwd.inc.php @@ -59,25 +59,15 @@ function app_passwd($_action, $_data = null) { ); return false; } - try { - $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`) - VALUES (:app_name, :mailbox, :domain, :password, :active)"); - $stmt->execute(array( - ':app_name' => $app_name, - ':mailbox' => $username, - ':domain' => $domain, - ':password' => $password_hashed, - ':active' => $active - )); - } - catch (PDOException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data_log), - 'msg' => array('mysql_error', $e) - ); - return false; - } + $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`) + VALUES (:app_name, :mailbox, :domain, :password, :active)"); + $stmt->execute(array( + ':app_name' => $app_name, + ':mailbox' => $username, + ':domain' => $domain, + ':password' => $password_hashed, + ':active' => $active + )); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_data_log), @@ -130,27 +120,17 @@ function app_passwd($_action, $_data = null) { ':id' => $id )); } - try { - $stmt = $pdo->prepare("UPDATE `app_passwd` SET - `name` = :app_name, - `mailbox` = :username, - `active` = :active - WHERE `id` = :id"); - $stmt->execute(array( - ':app_name' => $app_name, - ':username' => $username, - ':active' => $active, - ':id' => $id - )); - } - catch (PDOException $e) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $_action, $_data_log), - 'msg' => array('mysql_error', $e) - ); - continue; - } + $stmt = $pdo->prepare("UPDATE `app_passwd` SET + `name` = :app_name, + `mailbox` = :username, + `active` = :active + WHERE `id` = :id"); + $stmt->execute(array( + ':app_name' => $app_name, + ':username' => $username, + ':active' => $active, + ':id' => $id + )); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_data_log), @@ -161,18 +141,27 @@ function app_passwd($_action, $_data = null) { case 'delete': $ids = (array)$_data['id']; foreach ($ids as $id) { - try { - $stmt = $pdo->prepare("DELETE FROM `app_passwd` WHERE `id`= :id AND `mailbox`= :username"); - $stmt->execute(array(':id' => $id, ':username' => $username)); - } - catch (PDOException $e) { + $stmt = $pdo->prepare("SELECT `mailbox` FROM `app_passwd` WHERE `id` = :id"); + $stmt->execute(array(':id' => $id)); + $mailbox = $stmt->fetch(PDO::FETCH_ASSOC)['mailbox']; + if (empty($mailbox)) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_data_log), - 'msg' => array('mysql_error', $e) + 'msg' => 'app_passwd_id_invalid' ); return false; } + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $mailbox)) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $_action, $_data_log), + 'msg' => 'access_denied' + ); + return false; + } + $stmt = $pdo->prepare("DELETE FROM `app_passwd` WHERE `id`= :id"); + $stmt->execute(array(':id' => $id)); $_SESSION['return'][] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_data_log), @@ -198,10 +187,16 @@ function app_passwd($_action, $_data = null) { `active` AS `active_int`, CASE `active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `active` FROM `app_passwd` - WHERE `id` = :id - AND `mailbox` = :username"); - $stmt->execute(array(':id' => $_data['id'], ':username' => $username)); + WHERE `id` = :id"); + $stmt->execute(array(':id' => $_data['id'])); $app_passwd_data = $stmt->fetch(PDO::FETCH_ASSOC); + if (empty($app_passwd_data)) { + return false; + } + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $app_passwd_data['mailbox'])) { + $app_passwd_data = array(); + return false; + } return $app_passwd_data; break; } diff --git a/data/web/json_api.php b/data/web/json_api.php index a4974488..442428f8 100644 --- a/data/web/json_api.php +++ b/data/web/json_api.php @@ -296,12 +296,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u } if (!empty($app_passwds)) { foreach ($app_passwds as $app_passwd) { - if (empty($extra)) { - $details = app_passwd('details', array('id' => $app_passwd['id'])); - } - else { - $details = app_passwd('details', array('id' => $app_passwd['id'], 'username' => $extra)); - } + $details = app_passwd('details', array('id' => $app_passwd['id'])); if ($details !== false) { $data[] = $details; } @@ -317,7 +312,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u break; default: - $data = app_passwd('details', array('id' => $object)); + $data = app_passwd('details', array('id' => $object['id'])); process_get_return($data); break; }