paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[API] Make add and delete routes POST only

master
ntimo 2019-10-03 14:36:10 +02:00
parent 948137b4b4
commit f393049273
No known key found for this signature in database
GPG Key ID: 3AF3627FB0440D55
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
data/web/json_api.php
View File

@ -129,6 +129,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
$attr = (array)json_decode($_POST['attr'], true); $attr = (array)json_decode($_POST['attr'], true);
unset($attr['csrf_token']); unset($attr['csrf_token']);
} }
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
http_response_code(405);
echo json_encode(array(
'type' => 'error',
'msg' => 'Only POST method is allowed!'
));
switch ($category) { switch ($category) {
case "time_limited_alias": case "time_limited_alias":
process_add_return(mailbox('add', 'time_limited_alias', $attr)); process_add_return(mailbox('add', 'time_limited_alias', $attr));
@ -206,7 +212,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT); echo (!isset($data) || empty($data)) ? '{}' : json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT);
} }
if ($_SERVER['REQUEST_METHOD'] != 'GET') { if ($_SERVER['REQUEST_METHOD'] != 'GET') {
http_response_code(400); http_response_code(405);
echo json_encode(array( echo json_encode(array(
'type' => 'error', 'type' => 'error',
'msg' => 'Only GET method is allowed!' 'msg' => 'Only GET method is allowed!'
@ -1068,6 +1074,12 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
else { else {
$items = (array)json_decode($_POST['items'], true); $items = (array)json_decode($_POST['items'], true);
} }
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
http_response_code(405);
echo json_encode(array(
'type' => 'error',
'msg' => 'Only POST method is allowed!'
));
switch ($category) { switch ($category) {
case "alias": case "alias":
process_delete_return(mailbox('delete', 'alias', array('id' => $items))); process_delete_return(mailbox('delete', 'alias', array('id' => $items)));