self-hosted/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-01-02 03:38:23 +02:00
Code Issues Releases Activity

[Web] update user based on template after login

Browse Source
This commit is contained in:
FreddleSpl0it 2024-12-01 16:36:16 +01:00
parent d61a08c2a9
commit 45c13c687b
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
7 changed files with 85 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
data/conf/phpfpm/crons/keycloak-sync.php
View File

@ -114,7 +114,7 @@ $iam_provider = identity_provider('init');
while (true) { while (true) {
// Get admin access token // Get admin access token
$admin_token = identity_provider("get-keycloak-admin-token"); $admin_token = identity_provider("get-keycloak-admin-token");
// Make the API request to retrieve the users // Make the API request to retrieve the users
$url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users?first=$start&max=$max"; $url = "{$iam_settings['server_url']}/admin/realms/{$iam_settings['realm']}/users?first=$start&max=$max";
$ch = curl_init(); $ch = curl_init();
@ -127,7 +127,7 @@ while (true) {
$response = curl_exec($ch); $response = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch); curl_close($ch);
if ($code != 200){ if ($code != 200){
logMsg("err", "Recieved HTTP {$code}"); logMsg("err", "Recieved HTTP {$code}");
session_destroy(); session_destroy();
@ -157,8 +157,8 @@ while (true) {
logMsg("warning", "No attributes in keycloak found for user " . $user['email']); logMsg("warning", "No attributes in keycloak found for user " . $user['email']);
continue; continue;
} }
if (!isset($user['attributes']['mailcow_template']) || if (!isset($user['attributes']['mailcow_template']) ||
!is_array($user['attributes']['mailcow_template']) || !is_array($user['attributes']['mailcow_template']) ||
count($user['attributes']['mailcow_template']) == 0) { count($user['attributes']['mailcow_template']) == 0) {
logMsg("warning", "No mailcow_template in keycloak found for user " . $user['email']); logMsg("warning", "No mailcow_template in keycloak found for user " . $user['email']);
continue; continue;
@ -195,7 +195,8 @@ while (true) {
'local_part' => explode('@', $user['email'])[0], 'local_part' => explode('@', $user['email'])[0],
'name' => $user['firstName'] . " " . $user['lastName'], 'name' => $user['firstName'] . " " . $user['lastName'],
'authsource' => 'keycloak', 'authsource' => 'keycloak',
'template' => $mbox_template 'template' => $mbox_template,
'hasAccess' => true
)); ));
} else if ($row && intval($iam_settings['periodic_sync']) == 1) { } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
// mailbox user does exist, sync attribtues... // mailbox user does exist, sync attribtues...
@ -203,7 +204,8 @@ while (true) {
mailbox('edit', 'mailbox_from_template', array( mailbox('edit', 'mailbox_from_template', array(
'username' => $user['email'], 'username' => $user['email'],
'name' => $user['firstName'] . " " . $user['lastName'], 'name' => $user['firstName'] . " " . $user['lastName'],
'template' => $mbox_template 'template' => $mbox_template,
'hasAccess' => true
)); ));
} else { } else {
// skip mailbox user // skip mailbox user
@ -212,7 +214,7 @@ while (true) {
sleep(0.025); sleep(0.025);
} }
// Update the pagination variables for the next batch // Update the pagination variables for the next batch
$start += $max; $start += $max;
sleep(1); sleep(1);

6
data/conf/phpfpm/crons/ldap-sync.php
View File

@ -159,7 +159,8 @@ foreach ($response as $user) {
'local_part' => explode('@', $user[$iam_settings['username_field']][0])[0], 'local_part' => explode('@', $user[$iam_settings['username_field']][0])[0],
'name' => $user['displayname'][0], 'name' => $user['displayname'][0],
'authsource' => 'ldap', 'authsource' => 'ldap',
'template' => $mbox_template 'template' => $mbox_template,
'hasAccess' => true
)); ));
} else if ($row && intval($iam_settings['periodic_sync']) == 1) { } else if ($row && intval($iam_settings['periodic_sync']) == 1) {
// mailbox user does exist, sync attribtues... // mailbox user does exist, sync attribtues...
@ -167,7 +168,8 @@ foreach ($response as $user) {
mailbox('edit', 'mailbox_from_template', array( mailbox('edit', 'mailbox_from_template', array(
'username' => $user[$iam_settings['username_field']][0], 'username' => $user[$iam_settings['username_field']][0],
'name' => $user['displayname'][0], 'name' => $user['displayname'][0],
'template' => $mbox_template 'template' => $mbox_template,
'hasAccess' => true
)); ));
} else { } else {
// skip mailbox user // skip mailbox user

10
data/web/inc/functions.acl.inc.php
View File

@ -1,5 +1,5 @@
<?php <?php
function acl($_action, $_scope = null, $_data = null) { function acl($_action, $_scope = null, $_data = null, $_extra = null) {
global $pdo; global $pdo;
global $lang; global $lang;
$_data_log = $_data; $_data_log = $_data;
@ -23,8 +23,8 @@ function acl($_action, $_scope = null, $_data = null) {
$acl_post[$acl_val] = 1; $acl_post[$acl_val] = 1;
} }
// Users cannot change their own ACL // Users cannot change their own ACL
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username) if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) { || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),
@ -34,7 +34,7 @@ function acl($_action, $_scope = null, $_data = null) {
} }
// Read all available acl options by calling acl(get) // Read all available acl options by calling acl(get)
// Set all available acl options we cannot find in the post data to 0, else 1 // Set all available acl options we cannot find in the post data to 0, else 1
$is_now = acl('get', 'user', $username); $is_now = acl('get', 'user', $username, $_extra);
if (!empty($is_now)) { if (!empty($is_now)) {
foreach ($is_now as $acl_now_name => $acl_now_val) { foreach ($is_now as $acl_now_name => $acl_now_val) {
$set_acls[$acl_now_name] = (isset($acl_post[$acl_now_name])) ? 1 : 0; $set_acls[$acl_now_name] = (isset($acl_post[$acl_now_name])) ? 1 : 0;
@ -130,7 +130,7 @@ function acl($_action, $_scope = null, $_data = null) {
case 'get': case 'get':
switch ($_scope) { switch ($_scope) {
case 'user': case 'user':
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false; return false;
} }
$stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username"); $stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");

2
data/web/inc/functions.auth.inc.php
View File

@ -467,7 +467,7 @@ function keycloak_mbox_login_rest($user, $pass, $extra = null){
$create_res = mailbox('add', 'mailbox_from_template', array( $create_res = mailbox('add', 'mailbox_from_template', array(
'domain' => explode('@', $user)[1], 'domain' => explode('@', $user)[1],
'local_part' => explode('@', $user)[0], 'local_part' => explode('@', $user)[0],
'name' => $user_res['firstName'] . " " . $user_res['lastName'], 'name' => $user_res['name'],
'authsource' => 'keycloak', 'authsource' => 'keycloak',
'template' => $iam_settings['templates'][$mapper_key] 'template' => $iam_settings['templates'][$mapper_key]
)); ));

55
data/web/inc/functions.inc.php
View File

@ -2512,27 +2512,6 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
// check if email address is given // check if email address is given
if (empty($info['email'])) return false; if (empty($info['email'])) return false;
// token valid, get mailbox
$stmt = $pdo->prepare("SELECT * FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
WHERE `kind` NOT REGEXP 'location|thing|group'
AND `mailbox`.`active`='1'
AND `domain`.`active`='1'
AND `username` = :user
AND (`authsource`='keycloak' OR `authsource`='generic-oidc')");
$stmt->execute(array(':user' => $info['email']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row){
// success
set_user_loggedin_session($info['email']);
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
);
return true;
}
// get mapped template, if not set return false // get mapped template, if not set return false
// also return false if no mappers were defined // also return false if no mappers were defined
$user_template = $info['mailcow_template']; $user_template = $info['mailcow_template'];
@ -2558,13 +2537,43 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
return false; return false;
} }
// token valid, get mailbox
$stmt = $pdo->prepare("SELECT * FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
WHERE `kind` NOT REGEXP 'location|thing|group'
AND `mailbox`.`active`='1'
AND `domain`.`active`='1'
AND `username` = :user
AND (`authsource`='keycloak' OR `authsource`='generic-oidc')");
$stmt->execute(array(':user' => $info['email']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row){
// success
// update user
mailbox('edit', 'mailbox_from_template', array(
'username' => $info['email'],
'name' => $info['name'],
'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
));
set_user_loggedin_session($info['email']);
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
'msg' => array('logged_in_as', $_SESSION['mailcow_cc_username'])
);
return true;
}
// create mailbox // create mailbox
$create_res = mailbox('add', 'mailbox_from_template', array( $create_res = mailbox('add', 'mailbox_from_template', array(
'domain' => explode('@', $info['email'])[1], 'domain' => explode('@', $info['email'])[1],
'local_part' => explode('@', $info['email'])[0], 'local_part' => explode('@', $info['email'])[0],
'name' => $info['firstName'] . " " . $info['lastName'], 'name' => $info['name'],
'authsource' => $iam_settings['authsource'], 'authsource' => $iam_settings['authsource'],
'template' => $iam_settings['templates'][$mapper_key] 'template' => $iam_settings['templates'][$mapper_key],
'hasAccess' => true
)); ));
if (!$create_res){ if (!$create_res){
clear_session(); clear_session();

62
data/web/inc/functions.mailbox.inc.php
View File

@ -1045,7 +1045,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$password2 = ''; $password2 = '';
$password_hashed = ''; $password_hashed = '';
} }
if (!$_extra['iam_create_login'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) { if (!$_extra['hasAccess'] && ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && $quota_m === 0)) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1101,7 +1101,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
); );
return false; return false;
} }
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['iam_create_login']) { if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain) && !$_extra['hasAccess']) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1364,6 +1364,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$attribute_hash = sha1(json_encode($mbox_template_data["attributes"])); $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
$mbox_template_data = json_decode($mbox_template_data["attributes"], true); $mbox_template_data = json_decode($mbox_template_data["attributes"], true);
$mbox_template_data['domain'] = $_data['domain']; $mbox_template_data['domain'] = $_data['domain'];
$mbox_template_data['name'] = $_data['name'];
$mbox_template_data['local_part'] = $_data['local_part']; $mbox_template_data['local_part'] = $_data['local_part'];
$mbox_template_data['authsource'] = $_data['authsource']; $mbox_template_data['authsource'] = $_data['authsource'];
$mbox_template_data['attribute_hash'] = $attribute_hash; $mbox_template_data['attribute_hash'] = $attribute_hash;
@ -1381,7 +1382,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
} }
} }
return mailbox('add', 'mailbox', $mailbox_attributes, array('iam_create_login' => true)); return mailbox('add', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
break; break;
case 'resource': case 'resource':
$domain = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46); $domain = idn_to_ascii(strtolower(trim($_data['domain'])), 0, INTL_IDNA_VARIANT_UTS46);
@ -1749,7 +1750,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
else { else {
$usernames = $_data['username']; $usernames = $_data['username'];
} }
if (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1" ) { if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1")) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1758,7 +1759,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false; return false;
} }
foreach ($usernames as $username) { foreach ($usernames as $username) {
if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1766,7 +1767,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
); );
continue; continue;
} }
$is_now = mailbox('get', 'tls_policy', $username); $is_now = mailbox('get', 'tls_policy', $username, $_extra);
if (!empty($is_now)) { if (!empty($is_now)) {
$tls_enforce_in = (isset($_data['tls_enforce_in'])) ? intval($_data['tls_enforce_in']) : $is_now['tls_enforce_in']; $tls_enforce_in = (isset($_data['tls_enforce_in'])) ? intval($_data['tls_enforce_in']) : $is_now['tls_enforce_in'];
$tls_enforce_out = (isset($_data['tls_enforce_out'])) ? intval($_data['tls_enforce_out']) : $is_now['tls_enforce_out']; $tls_enforce_out = (isset($_data['tls_enforce_out'])) ? intval($_data['tls_enforce_out']) : $is_now['tls_enforce_out'];
@ -1803,7 +1804,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
else { else {
$usernames = $_data['username']; $usernames = $_data['username'];
} }
if (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1" ) { if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_notification']) || $_SESSION['acl']['quarantine_notification'] != "1")) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1812,7 +1813,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false; return false;
} }
foreach ($usernames as $username) { foreach ($usernames as $username) {
if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1820,7 +1821,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
); );
continue; continue;
} }
$is_now = mailbox('get', 'quarantine_notification', $username); $is_now = mailbox('get', 'quarantine_notification', $username, $_extra);
if (!empty($is_now)) { if (!empty($is_now)) {
$quarantine_notification = (isset($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification']; $quarantine_notification = (isset($_data['quarantine_notification'])) ? $_data['quarantine_notification'] : $is_now['quarantine_notification'];
} }
@ -1862,7 +1863,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
else { else {
$usernames = $_data['username']; $usernames = $_data['username'];
} }
if (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1" ) { if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['quarantine_category']) || $_SESSION['acl']['quarantine_category'] != "1")) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1871,7 +1872,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false; return false;
} }
foreach ($usernames as $username) { foreach ($usernames as $username) {
if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) { if (!$_extra['hasAccess'] && (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username))) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -1879,7 +1880,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
); );
continue; continue;
} }
$is_now = mailbox('get', 'quarantine_category', $username); $is_now = mailbox('get', 'quarantine_category', $username, $_extra);
if (!empty($is_now)) { if (!empty($is_now)) {
$quarantine_category = (isset($_data['quarantine_category'])) ? $_data['quarantine_category'] : $is_now['quarantine_category']; $quarantine_category = (isset($_data['quarantine_category'])) ? $_data['quarantine_category'] : $is_now['quarantine_category'];
} }
@ -2923,7 +2924,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
); );
continue; continue;
} }
$is_now = mailbox('get', 'mailbox_details', $username); $is_now = mailbox('get', 'mailbox_details', $username, $_extra);
if (isset($_data['protocol_access'])) { if (isset($_data['protocol_access'])) {
$_data['protocol_access'] = (array)$_data['protocol_access']; $_data['protocol_access'] = (array)$_data['protocol_access'];
$_data['imap_access'] = (in_array('imap', $_data['protocol_access'])) ? 1 : 0; $_data['imap_access'] = (in_array('imap', $_data['protocol_access'])) ? 1 : 0;
@ -2963,7 +2964,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
continue; continue;
} }
// if already 0 == ok // if already 0 == ok
if ((!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) { if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['unlimited_quota']) || $_SESSION['acl']['unlimited_quota'] != "1") && ($quota_m == 0 && $is_now['quota'] != 0)) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -2971,7 +2972,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
); );
return false; return false;
} }
if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) { if (!$_extra['hasAccess'] && !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -2998,7 +2999,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
} }
$extra_acls = array(); $extra_acls = array();
if (isset($_data['extended_sender_acl'])) { if (isset($_data['extended_sender_acl'])) {
if (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1" ) { if (!$_extra['hasAccess'] && (!isset($_SESSION['acl']['extend_sender_acl']) || $_SESSION['acl']['extend_sender_acl'] != "1")) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -3493,7 +3494,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
} }
$attribute_hash = sha1(json_encode($mbox_template_data["attributes"])); $attribute_hash = sha1(json_encode($mbox_template_data["attributes"]));
$is_now = mailbox('get', 'mailbox_details', $_data['username']); $is_now = mailbox('get', 'mailbox_details', $_data['username'], array('hasAccess' => $_data['hasAccess']));
$name = ltrim(rtrim($_data['name'], '>'), '<'); $name = ltrim(rtrim($_data['name'], '>'), '<');
if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name) if ($is_now['attributes']['attribute_hash'] == $attribute_hash && $is_now['name'] == $name)
return true; return true;
@ -3529,19 +3530,20 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
} }
$mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576); $mailbox_attributes['quota'] = intval($mailbox_attributes['quota'] / 1048576);
$result = mailbox('edit', 'mailbox', $mailbox_attributes); $result = mailbox('edit', 'mailbox', $mailbox_attributes, array('hasAccess' => $_data['hasAccess']));
if ($result === false) return $result; if ($result === false) return $result;
$result = mailbox('edit', 'tls_policy', $tls_attributes); $result = mailbox('edit', 'tls_policy', $tls_attributes, array('hasAccess' => $_data['hasAccess']));
if ($result === false) return $result; if ($result === false) return $result;
$result = mailbox('edit', 'quarantine_notification', $quarantine_attributes); $result = mailbox('edit', 'quarantine_notification', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
if ($result === false) return $result; if ($result === false) return $result;
$result = mailbox('edit', 'quarantine_category', $quarantine_attributes); $result = mailbox('edit', 'quarantine_category', $quarantine_attributes, array('hasAccess' => $_data['hasAccess']));
if ($result === false) return $result; if ($result === false) return $result;
$result = ratelimit('edit', 'mailbox', $ratelimit_attributes); $result = ratelimit('edit', 'mailbox', $ratelimit_attributes, array('hasAccess' => $_data['hasAccess']));
if ($result === false) return $result; if ($result === false) return $result;
$result = acl('edit', 'user', $acl_attributes); $result = acl('edit', 'user', $acl_attributes, array('hasAccess' => $_data['hasAccess']));
if ($result === false) return $result; if ($result === false) return $result;
$_SESSION['return'] = array();
return true; return true;
break; break;
case 'mailbox_templates': case 'mailbox_templates':
@ -4077,7 +4079,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
case 'tls_policy': case 'tls_policy':
$attrs = array(); $attrs = array();
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false; return false;
} }
} }
@ -4096,7 +4098,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
case 'quarantine_notification': case 'quarantine_notification':
$attrs = array(); $attrs = array();
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false; return false;
} }
} }
@ -4112,7 +4114,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
case 'quarantine_category': case 'quarantine_category':
$attrs = array(); $attrs = array();
if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) { if (isset($_data) && filter_var($_data, FILTER_VALIDATE_EMAIL)) {
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { if (!$_extra['hasAccess'] && (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data))) {
return false; return false;
} }
} }
@ -4793,7 +4795,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
} }
break; break;
case 'mailbox_details': case 'mailbox_details':
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { if (!$_extra['hasAccess'] && !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
return false; return false;
} }
$mailboxdata = array(); $mailboxdata = array();
@ -4891,7 +4893,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
else if ($SaslLogs['service'] == 'pop3') { else if ($SaslLogs['service'] == 'pop3') {
$last_pop3_login = strtotime($SaslLogs['datetime']); $last_pop3_login = strtotime($SaslLogs['datetime']);
} }
else if ($SaslLogs['service'] == 'SSO') { else if ($SaslLogs['service'] == 'SSO') {
$last_sso_login = strtotime($SaslLogs['datetime']); $last_sso_login = strtotime($SaslLogs['datetime']);
} }
} }
@ -4904,7 +4906,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
if (!isset($last_pop3_login) || $GLOBALS['SHOW_LAST_LOGIN'] === false) { if (!isset($last_pop3_login) || $GLOBALS['SHOW_LAST_LOGIN'] === false) {
$last_pop3_login = 0; $last_pop3_login = 0;
} }
if (!isset($last_sso_login) || $GLOBALS['SHOW_LAST_LOGIN'] === false) { if (!isset($last_sso_login) || $GLOBALS['SHOW_LAST_LOGIN'] === false) {
$last_sso_login = 0; $last_sso_login = 0;
} }
$mailboxdata['last_imap_login'] = $last_imap_login; $mailboxdata['last_imap_login'] = $last_imap_login;
@ -4956,7 +4958,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return $mailboxdata; return $mailboxdata;
break; break;
case 'mailbox_templates': case 'mailbox_templates':
if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['iam_create_login']) { if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin" && !$_extra['hasAccess']) {
return false; return false;
} }
$_data = (isset($_data)) ? intval($_data) : null; $_data = (isset($_data)) ? intval($_data) : null;

4
data/web/inc/functions.ratelimit.inc.php
View File

@ -4,7 +4,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
$_data_log = $_data; $_data_log = $_data;
switch ($_action) { switch ($_action) {
case 'edit': case 'edit':
if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['iam_create_login']) { if ((!isset($_SESSION['acl']['ratelimit']) || $_SESSION['acl']['ratelimit'] != "1") && !$_extra['hasAccess']) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr), 'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
@ -93,7 +93,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) {
continue; continue;
} }
if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object) if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)
|| ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['iam_create_login']) { || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['hasAccess']) {
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'danger', 'type' => 'danger',
'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log),