'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } $object = idn_to_ascii(strtolower(trim($object))); } else { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } if ($_data['object_list'] == "bl") { $object_list = "blacklist_from"; } elseif ($_data['object_list'] == "wl") { $object_list = "whitelist_from"; } $object_from = preg_replace('/\.+/', '.', rtrim(preg_replace("/\.\*/", "*", trim(strtolower($_data['object_from']))), '.')); if (!ctype_alnum(str_replace(array('@', '_', '.', '-', '*'), '', $object_from))) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'policy_list_from_invalid' ); return false; } if ($object_list != "blacklist_from" && $object_list != "whitelist_from") { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } try { $stmt = $pdo->prepare("SELECT `object` FROM `filterconf` WHERE (`option` = 'whitelist_from' OR `option` = 'blacklist_from') AND `object` = :object AND `value` = :object_from"); $stmt->execute(array(':object' => $object, ':object_from' => $object_from)); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); if ($num_results != 0) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'policy_list_from_exists' ); return false; } } catch(PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); return false; } try { $stmt = $pdo->prepare("INSERT INTO `filterconf` (`object`, `option` ,`value`) VALUES (:object, :object_list, :object_from)"); $stmt->execute(array( ':object' => $object, ':object_list' => $object_list, ':object_from' => $object_from )); } catch (PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); return false; } $_SESSION['return'] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('domain_modified', $object) ); break; case 'mailbox': $object = $_data['username']; if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } if (!isset($_SESSION['acl']['spam_policy']) || $_SESSION['acl']['spam_policy'] != "1" ) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } if ($_data['object_list'] == "bl") { $object_list = "blacklist_from"; } elseif ($_data['object_list'] == "wl") { $object_list = "whitelist_from"; } $object_from = preg_replace('/\.+/', '.', rtrim(preg_replace("/\.\*/", "*", trim(strtolower($_data['object_from']))), '.')); if (!ctype_alnum(str_replace(array('@', '_', '.', '-', '*'), '', $object_from))) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'policy_list_from_invalid' ); return false; } if ($object_list != "blacklist_from" && $object_list != "whitelist_from") { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } try { $stmt = $pdo->prepare("SELECT `object` FROM `filterconf` WHERE (`option` = 'whitelist_from' OR `option` = 'blacklist_from') AND `object` = :object AND `value` = :object_from"); $stmt->execute(array(':object' => $object, ':object_from' => $object_from)); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); if ($num_results != 0) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'policy_list_from_exists' ); return false; } } catch(PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); return false; } try { $stmt = $pdo->prepare("INSERT INTO `filterconf` (`object`, `option` ,`value`) VALUES (:object, :object_list, :object_from)"); $stmt->execute(array( ':object' => $object, ':object_list' => $object_list, ':object_from' => $object_from )); } catch (PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); return false; } $_SESSION['return'] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mailbox_modified', $object) ); break; } break; case 'delete': switch ($_scope) { case 'domain': (array)$prefids = $_data['prefid']; foreach ($prefids as $prefid) { if (!is_numeric($prefid)) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } try { $stmt = $pdo->prepare("SELECT `object` FROM `filterconf` WHERE `prefid` = :prefid"); $stmt->execute(array(':prefid' => $prefid)); $object = $stmt->fetch(PDO::FETCH_ASSOC)['object']; } catch(PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); } if (is_valid_domain_name($object)) { if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } $object = idn_to_ascii(strtolower(trim($object))); } else { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } try { $stmt = $pdo->prepare("DELETE FROM `filterconf` WHERE `object` = :object AND `prefid` = :prefid"); $stmt->execute(array( ':object' => $object, ':prefid' => $prefid )); } catch (PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); return false; } } $_SESSION['return'] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('items_deleted', implode(', ', $prefids)) ); break; case 'mailbox': if (!is_array($_data['prefid'])) { $prefids = array(); $prefids[] = $_data['prefid']; } else { $prefids = $_data['prefid']; } if (!isset($_SESSION['acl']['spam_policy']) || $_SESSION['acl']['spam_policy'] != "1" ) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } foreach ($prefids as $prefid) { if (!is_numeric($prefid)) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } try { $stmt = $pdo->prepare("SELECT `object` FROM `filterconf` WHERE `prefid` = :prefid"); $stmt->execute(array(':prefid' => $prefid)); $object = $stmt->fetch(PDO::FETCH_ASSOC)['object']; } catch(PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); } if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => 'access_denied' ); return false; } try { $stmt = $pdo->prepare("DELETE FROM `filterconf` WHERE `object` = :object AND `prefid` = :prefid"); $stmt->execute(array( ':object' => $object, ':prefid' => $prefid )); } catch (PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); return false; } } $_SESSION['return'] = array( 'type' => 'success', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('items_deleted', implode(', ', $prefids)) ); break; } break; case 'get': switch ($_scope) { case 'domain': if (!is_valid_domain_name($_data)) { return false; } else { if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } $_data = idn_to_ascii(strtolower(trim($_data))); } try { // WHITELIST $stmt = $pdo->prepare("SELECT `object`, `value`, `prefid` FROM `filterconf` WHERE `option`='whitelist_from' AND (`object` LIKE :object_mail OR `object` = :object_domain)"); $stmt->execute(array(':object_mail' => '%@' . $_data, ':object_domain' => $_data)); $rows['whitelist'] = $stmt->fetchAll(PDO::FETCH_ASSOC); // BLACKLIST $stmt = $pdo->prepare("SELECT `object`, `value`, `prefid` FROM `filterconf` WHERE `option`='blacklist_from' AND (`object` LIKE :object_mail OR `object` = :object_domain)"); $stmt->execute(array(':object_mail' => '%@' . $_data, ':object_domain' => $_data)); $rows['blacklist'] = $stmt->fetchAll(PDO::FETCH_ASSOC); } catch(PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); } return $rows; break; case 'mailbox': if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { return false; } } else { $_data = $_SESSION['mailcow_cc_username']; } $domain = mailbox('get', 'mailbox_details', $_data)['domain']; if (empty($domain)) { return false; } try { // WHITELIST $stmt = $pdo->prepare("SELECT `object`, `value`, `prefid` FROM `filterconf` WHERE `option`='whitelist_from' AND (`object` = :username OR `object` = :domain)"); $stmt->execute(array(':username' => $_data, ':domain' => $domain)); $rows['whitelist'] = $stmt->fetchAll(PDO::FETCH_ASSOC); // BLACKLIST $stmt = $pdo->prepare("SELECT `object`, `value`, `prefid` FROM `filterconf` WHERE `option`='blacklist_from' AND (`object` = :username OR `object` = :domain)"); $stmt->execute(array(':username' => $_data, ':domain' => $domain)); $rows['blacklist'] = $stmt->fetchAll(PDO::FETCH_ASSOC); } catch(PDOException $e) { $_SESSION['return'] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'msg' => array('mysql_error', $e) ); } return $rows; break; } break; } }