From 9edea9976bd605071e0694a90d704266c0b7e0f9 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 14 Aug 2014 11:30:03 -0400
Subject: [PATCH] - Added warning in the interface when a path for a shelluser is set that is outside of the website docroot. - Added security settings feature to allow the root user of a server to control most aspects of whet the admin user of the controlpanel is allowed to do in system settings. This is especially useful for managed severs where the ispconfig admin user and the root user of the server are different persons.
---
interface/web/mail/mail_get_edit.php | 79 ++++++++++++++++++++++++++++++++++-----
1 files changed, 69 insertions(+), 10 deletions(-)
diff --git a/interface/web/mail/mail_get_edit.php b/interface/web/mail/mail_get_edit.php
index 1d07266..70d1fb2 100644
--- a/interface/web/mail/mail_get_edit.php
+++ b/interface/web/mail/mail_get_edit.php
@@ -38,25 +38,84 @@
* End Form configuration
******************************************/
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
+require_once '../../lib/config.inc.php';
+require_once '../../lib/app.inc.php';
-// Checking module permissions
-if(!stristr($_SESSION["s"]["user"]["modules"],$_SESSION["s"]["module"]["name"])) {
- header("Location: ../index.php");
- exit;
-}
+//* Check permissions for module
+$app->auth->check_module_permissions('mail');
// Loading classes
$app->uses('tpl,tform,tform_actions');
$app->load('tform_actions');
class page_action extends tform_actions {
-
-
+
+ function onShowNew() {
+ global $app, $conf;
+
+ // we will check only users, not admins
+ if($_SESSION["s"]["user"]["typ"] == 'user') {
+ if(!$app->tform->checkClientLimit('limit_fetchmail')) {
+ $app->error($app->tform->wordbook["limit_fetchmail_txt"]);
+ }
+ if(!$app->tform->checkResellerLimit('limit_fetchmail')) {
+ $app->error('Reseller: '.$app->tform->wordbook["limit_fetchmail_txt"]);
+ }
+ }
+
+ parent::onShowNew();
+ }
+
+ function onSubmit() {
+ global $app, $conf;
+
+ //* Check if destination email belongs to user
+ if(isset($_POST["destination"])) {
+ $email = $app->db->queryOneRecord("SELECT email FROM mail_user WHERE email = '".$app->db->quote($app->functions->idn_encode($_POST["destination"]))."' AND ".$app->tform->getAuthSQL('r'));
+ if($email["email"] != $app->functions->idn_encode($_POST["destination"])) $app->tform->errorMessage .= $app->tform->lng("no_destination_perm");
+ }
+
+ // Check the client limits, if user is not the admin
+ if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
+ // Get the limits of the client
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
+ $client = $app->db->queryOneRecord("SELECT limit_fetchmail FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+
+ // Check if the user may add another transport.
+ if($this->id == 0 && $client["limit_fetchmail"] >= 0) {
+ $tmp = $app->db->queryOneRecord("SELECT count(mailget_id) as number FROM mail_get WHERE sys_groupid = $client_group_id");
+ if($tmp["number"] >= $client["limit_fetchmail"]) {
+ $app->tform->errorMessage .= $app->tform->wordbook["limit_fetchmail_txt"]."<br>";
+ }
+ unset($tmp);
+ }
+ } // end if user is not admin
+
+
+ // Set the server ID according to the selected destination
+ $tmp = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE email = '".$app->db->quote($this->dataRecord["destination"])."'");
+ $this->dataRecord["server_id"] = $tmp["server_id"];
+ unset($tmp);
+
+ //* Check that no illegal combination of options is set
+ if((!isset($this->dataRecord['source_delete']) || @$this->dataRecord['source_delete'] == 'n') && $this->dataRecord['source_read_all'] == 'y') {
+ $app->tform->errorMessage .= $app->tform->lng('error_delete_read_all_combination')."<br>";
+ }
+
+ parent::onSubmit();
+ }
+
+ function onAfterInsert() {
+ global $app;
+
+ $tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_user WHERE email = '".$app->db->quote($this->dataRecord["destination"])."'");
+ $app->db->query("update mail_get SET sys_groupid = ".$app->functions->intval($tmp['sys_groupid'])." WHERE mailget_id = ".$this->id);
+
+ }
+
}
$page = new page_action;
$page->onLoad();
-?>
\ No newline at end of file
+?>
--
Gitblit v1.9.1