diff --git a/data/conf/dovecot/auth/mailcowauth.php b/data/conf/dovecot/auth/mailcowauth.php index 6d7660577..4f10ed535 100644 --- a/data/conf/dovecot/auth/mailcowauth.php +++ b/data/conf/dovecot/auth/mailcowauth.php @@ -22,6 +22,24 @@ if (file_exists('../../../web/inc/vars.local.inc.php')) { } require_once '../../../web/inc/lib/vendor/autoload.php'; + +// Init Redis +$redis = new Redis(); +try { + if (!empty(getenv('REDIS_SLAVEOF_IP'))) { + $redis->connect(getenv('REDIS_SLAVEOF_IP'), getenv('REDIS_SLAVEOF_PORT')); + } + else { + $redis->connect('redis-mailcow', 6379); + } +} +catch (Exception $e) { + error_log("MAILCOWAUTH: " . $e . PHP_EOL); + http_response_code(500); // Internal Server Error + echo json_encode($return); + exit; +} + // Init database $dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name; $opt = [ @@ -44,6 +62,8 @@ require_once 'functions.inc.php'; require_once 'functions.auth.inc.php'; require_once 'sessions.inc.php'; require_once 'functions.mailbox.inc.php'; +require_once 'functions.ratelimit.inc.php'; +require_once 'functions.acl.inc.php'; $isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248'; @@ -69,8 +89,7 @@ if ($result === false){ // Init Identity Provider $iam_provider = identity_provider('init'); $iam_settings = identity_provider('get'); - error_log('MAILCOWAUTH Try: User auth for user ' . $post['username']); - $result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true)); + $result = user_login($post['username'], $post['password'], array('is_internal' => true)); if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']); } diff --git a/data/web/inc/functions.ratelimit.inc.php b/data/web/inc/functions.ratelimit.inc.php index c59accb54..5779ad77c 100644 --- a/data/web/inc/functions.ratelimit.inc.php +++ b/data/web/inc/functions.ratelimit.inc.php @@ -92,8 +92,8 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) { ); continue; } - if ((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object) - || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) && !$_extra['hasAccess']) { + if (((!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object) + || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin'))) && !$_extra['hasAccess']) { $_SESSION['return'][] = array( 'type' => 'danger', 'log' => array(__FUNCTION__, $_action, $_scope, $_data_log), @@ -139,7 +139,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) { case 'get': switch ($_scope) { case 'domain': - if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) { + if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) && !$_extra['hasAccess']) { return false; } try { @@ -164,7 +164,7 @@ function ratelimit($_action, $_scope, $_data = null, $_extra = null) { return false; break; case 'mailbox': - if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data) + if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data && !$_extra['hasAccess']) || ($_SESSION['mailcow_cc_role'] != 'admin' && $_SESSION['mailcow_cc_role'] != 'domainadmin')) { return false; } diff --git a/docker-compose.yml b/docker-compose.yml index a55f0c02c..85395b645 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -127,6 +127,7 @@ services: - ./data/web/inc/sessions.inc.php:/mailcowauth/sessions.inc.php:z - ./data/web/inc/functions.mailbox.inc.php:/mailcowauth/functions.mailbox.inc.php:z - ./data/web/inc/functions.ratelimit.inc.php:/mailcowauth/functions.ratelimit.inc.php:z + - ./data/web/inc/functions.acl.inc.php:/mailcowauth/functions.acl.inc.php:z - rspamd-vol-1:/var/lib/rspamd - mysql-socket-vol-1:/var/run/mysqld/ - ./data/conf/sogo/:/etc/sogo/:z