From 6fa1c9f63df04b95a3e634f6b0fe417278c53ff3 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 2 Dec 2024 10:24:15 +0100
Subject: [PATCH] [Web] protect /get/identity-provider

---
 data/web/json_api.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 4e9d2a0ed..36b39b0e6 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1707,8 +1707,13 @@ if (isset($_GET['query'])) {
             if ($score)
               $score = array("score" => preg_replace("/\s+/", "", $score));
             process_get_return($score);
-          case "identity_provider":
-            process_get_return($iam_settings);
+          break;
+          case "identity-provider":
+            if($_SESSION['mailcow_cc_role'] === 'admin') {
+              process_get_return($iam_settings);
+            } else {
+              process_get_return(null);
+            }
           break;
         break;
         // return no route found if no case is matched
@@ -2086,7 +2091,6 @@ if (isset($_GET['query'])) {
         break;
         case "cors":
           process_edit_return(cors('edit', $attr));
-        case "identity_provider":
         case "identity-provider":
           process_edit_return(identity_provider('edit', $attr));
         break;