[Web] Even more fixes for #1017
This commit is contained in:
parent
8e1ac0bfbb
commit
618be3bf14
@ -61,7 +61,7 @@ $(document).ready(function() {
|
||||
type: "GET",
|
||||
cache: false,
|
||||
dataType: 'script',
|
||||
url: "/api/v1/get/u2f-authentication/<?= (isset($_SESSION['pending_mailcow_cc_username'])) ? $_SESSION['pending_mailcow_cc_username'] : null; ?>",
|
||||
url: "/api/v1/get/u2f-authentication/<?= (isset($_SESSION['pending_mailcow_cc_username'])) ? rawurlencode($_SESSION['pending_mailcow_cc_username']) : null; ?>",
|
||||
complete: function(data){
|
||||
$('#u2f_status_auth').html('<?=$lang['tfa']['waiting_usb_auth'];?>');
|
||||
data;
|
||||
@ -100,7 +100,7 @@ $(document).ready(function() {
|
||||
type: "GET",
|
||||
cache: false,
|
||||
dataType: 'script',
|
||||
url: "/api/v1/get/u2f-registration/<?= (isset($_SESSION['mailcow_cc_username'])) ? $_SESSION['mailcow_cc_username'] : null; ?>",
|
||||
url: "/api/v1/get/u2f-registration/<?= (isset($_SESSION['mailcow_cc_username'])) ? rawurlencode($_SESSION['mailcow_cc_username']) : null; ?>",
|
||||
complete: function(data){
|
||||
data;
|
||||
setTimeout(function() {
|
||||
|
@ -39,7 +39,7 @@ function hasDomainAccess($username, $role, $domain) {
|
||||
}
|
||||
function hasMailboxObjectAccess($username, $role, $object) {
|
||||
global $pdo;
|
||||
if (!filter_var($username, FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
|
||||
if (!filter_var(html_entity_decode(rawurldecode($username)), FILTER_VALIDATE_EMAIL) && !ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
|
||||
return false;
|
||||
}
|
||||
if ($role != 'admin' && $role != 'domainadmin' && $role != 'user') {
|
||||
@ -471,22 +471,18 @@ function user_get_alias_details($username) {
|
||||
));
|
||||
$run = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||
while ($row = array_shift($run)) {
|
||||
$data['direct_aliases'] = $row['direct_aliases'];
|
||||
$data['direct_aliases'][] = $row['direct_aliases'];
|
||||
}
|
||||
$stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(local_part, '@', alias_domain SEPARATOR ', '), '✘') AS `ad_alias` FROM `mailbox`
|
||||
$stmt = $pdo->prepare("SELECT GROUP_CONCAT(local_part, '@', alias_domain SEPARATOR ', ') AS `ad_alias` FROM `mailbox`
|
||||
LEFT OUTER JOIN `alias_domain` on `target_domain` = `domain`
|
||||
WHERE `username` = :username ;");
|
||||
$stmt->execute(array(':username' => $username));
|
||||
$run = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||
while ($row = array_shift($run)) {
|
||||
if (empty($data['direct_aliases'])) {
|
||||
$data['direct_aliases'] = $row['ad_alias'];
|
||||
}
|
||||
else {
|
||||
// Probably faster than imploding
|
||||
$data['direct_aliases'] .= ', ' . $row['ad_alias'];
|
||||
}
|
||||
$data['direct_aliases'][] = $row['ad_alias'];
|
||||
}
|
||||
$data['direct_aliases'] = implode(', ', array_filter($data['direct_aliases']));
|
||||
$data['direct_aliases'] = empty($data['direct_aliases']) ? '✘' : $data['direct_aliases'];
|
||||
$stmt = $pdo->prepare("SELECT IFNULL(GROUP_CONCAT(`send_as` SEPARATOR ', '), '✘') AS `send_as` FROM `sender_acl` WHERE `logged_in_as` = :username AND `send_as` NOT LIKE '@%';");
|
||||
$stmt->execute(array(':username' => $username));
|
||||
$run = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||
|
@ -94,7 +94,7 @@ function policy($_action, $_scope, $_data = null) {
|
||||
if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) {
|
||||
$_SESSION['return'] = array(
|
||||
'type' => 'danger',
|
||||
'msg' => sprintf($lang['danger']['access_denied'])
|
||||
'msg' => $object
|
||||
);
|
||||
return false;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
<!DOCTYPE html>
|
||||
<!DOCTYPE html>
|
||||
<html lang="<?= $_SESSION['mailcow_locale'] ?>">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
@ -129,11 +129,11 @@
|
||||
}
|
||||
if (!isset($_SESSION['dual-login']) && isset($_SESSION['mailcow_cc_username'])):
|
||||
?>
|
||||
<li class="logged-in-as"><a href="#" onclick="logout.submit()"><b><?= $_SESSION['mailcow_cc_username']; ?></b> <span class="glyphicon glyphicon-log-out"></span></a></li>
|
||||
<li class="logged-in-as"><a href="#" onclick="logout.submit()"><b><?= htmlspecialchars($_SESSION['mailcow_cc_username']); ?></b> <span class="glyphicon glyphicon-log-out"></span></a></li>
|
||||
<?php
|
||||
elseif (isset($_SESSION['dual-login'])):
|
||||
?>
|
||||
<li class="logged-in-as"><a href="#" onclick="logout.submit()"><b><?= $_SESSION['mailcow_cc_username']; ?> <span class="text-info">(<?= $_SESSION['dual-login']['username']; ?>)</span> </b><span class="glyphicon glyphicon-log-out"></span></a></li>
|
||||
<li class="logged-in-as"><a href="#" onclick="logout.submit()"><b><?= htmlspecialchars($_SESSION['mailcow_cc_username']); ?> <span class="text-info">(<?= htmlspecialchars($_SESSION['dual-login']['username']); ?>)</span> </b><span class="glyphicon glyphicon-log-out"></span></a></li>
|
||||
<?php
|
||||
endif;
|
||||
?>
|
||||
|
@ -43,11 +43,12 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
|
||||
|
||||
if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
|
||||
if (isset($_GET["duallogin"])) {
|
||||
if (filter_var($_GET["duallogin"], FILTER_VALIDATE_EMAIL)) {
|
||||
if (!empty(mailbox('get', 'mailbox_details', $_GET["duallogin"]))) {
|
||||
$duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
|
||||
if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
|
||||
if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
|
||||
$_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
|
||||
$_SESSION["dual-login"]["role"] = $_SESSION['mailcow_cc_role'];
|
||||
$_SESSION['mailcow_cc_username'] = $_GET["duallogin"];
|
||||
$_SESSION['mailcow_cc_username'] = $duallogin;
|
||||
$_SESSION['mailcow_cc_role'] = "user";
|
||||
header("Location: /user.php");
|
||||
}
|
||||
|
@ -250,7 +250,6 @@ jQuery(function($){
|
||||
$.each(data, function (i, item) {
|
||||
item.quota = item.quota_used + "/" + item.quota;
|
||||
item.max_quota_for_mbox = humanFileSize(item.max_quota_for_mbox);
|
||||
item.username = escapeHtml(item.username);
|
||||
item.chkbox = '<input type="checkbox" data-id="mailbox" name="multi_select" value="' + encodeURIComponent(item.username) + '" />';
|
||||
if (role == "admin") {
|
||||
item.action = '<div class="btn-group">' +
|
||||
@ -268,7 +267,7 @@ jQuery(function($){
|
||||
item.in_use = '<div class="progress">' +
|
||||
'<div class="progress-bar progress-bar-' + item.percent_class + ' role="progressbar" aria-valuenow="' + item.percent_in_use + '" aria-valuemin="0" aria-valuemax="100" ' +
|
||||
'style="min-width:2em;width:' + item.percent_in_use + '%">' + item.percent_in_use + '%' + '</div></div>';
|
||||
|
||||
item.username = escapeHtml(item.username);
|
||||
});
|
||||
}
|
||||
}),
|
||||
@ -309,12 +308,12 @@ jQuery(function($){
|
||||
},
|
||||
success: function (data) {
|
||||
$.each(data, function (i, item) {
|
||||
item.name = escapeHtml(item.name);
|
||||
item.action = '<div class="btn-group">' +
|
||||
'<a href="/edit.php?resource=' + encodeURIComponent(item.name) + '" class="btn btn-xs btn-default"><span class="glyphicon glyphicon-pencil"></span> ' + lang.edit + '</a>' +
|
||||
'<a href="#" id="delete_selected" data-id="single-resource" data-api-url="delete/resource" data-item="' + encodeURIComponent(item.name) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
|
||||
'</div>';
|
||||
item.chkbox = '<input type="checkbox" data-id="resource" name="multi_select" value="' + encodeURIComponent(item.name) + '" />';
|
||||
item.name = escapeHtml(item.name);
|
||||
});
|
||||
}
|
||||
}),
|
||||
@ -461,10 +460,12 @@ jQuery(function($){
|
||||
'</div>';
|
||||
item.chkbox = '<input type="checkbox" data-id="alias" name="multi_select" value="' + encodeURIComponent(item.address) + '" />';
|
||||
item.goto = escapeHtml(item.goto);
|
||||
item.address = escapeHtml(item.address);
|
||||
if (item.is_catch_all == 1) {
|
||||
item.address = '<div class="label label-default">Catch-All</div> ' + escapeHtml(item.address);
|
||||
}
|
||||
else {
|
||||
item.address = escapeHtml(item.address);
|
||||
}
|
||||
if (item.goto == "null@localhost") {
|
||||
item.goto = '⤷ <span style="font-size:12px" class="glyphicon glyphicon-trash" aria-hidden="true"></span>';
|
||||
}
|
||||
@ -568,7 +569,7 @@ jQuery(function($){
|
||||
} else {
|
||||
item.exclude = '<code>' + item.exclude + '</code>';
|
||||
}
|
||||
item.server_w_port = item.user1 + '@' + item.host1 + ':' + item.port1;
|
||||
item.server_w_port = escapeHtml(item.user1) + '@' + item.host1 + ':' + item.port1;
|
||||
item.action = '<div class="btn-group">' +
|
||||
'<a href="/edit.php?syncjob=' + item.id + '" class="btn btn-xs btn-default"><span class="glyphicon glyphicon-pencil"></span> ' + lang.edit + '</a>' +
|
||||
'<a href="#" id="delete_selected" data-id="single-syncjob" data-api-url="delete/syncjob" data-item="' + item.id + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
|
||||
|
@ -62,9 +62,10 @@ jQuery(function($){
|
||||
$.each(data, function (i, item) {
|
||||
if (acl_data.spam_alias === 1) {
|
||||
item.action = '<div class="btn-group">' +
|
||||
'<a href="#" id="delete_selected" data-id="single-tla" data-api-url="delete/time_limited_alias" data-item="' + encodeURI(item.address) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
|
||||
'<a href="#" id="delete_selected" data-id="single-tla" data-api-url="delete/time_limited_alias" data-item="' + encodeURIComponent(item.address) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
|
||||
'</div>';
|
||||
item.chkbox = '<input type="checkbox" data-id="tla" name="multi_select" value="' + item.address + '" />';
|
||||
item.chkbox = '<input type="checkbox" data-id="tla" name="multi_select" value="' + encodeURIComponent(item.address) + '" />';
|
||||
item.address = escapeHtml(item.address);
|
||||
}
|
||||
else {
|
||||
item.chkbox = '<input type="checkbox" disabled />';
|
||||
@ -102,24 +103,25 @@ jQuery(function($){
|
||||
"empty": lang.empty,
|
||||
"rows": $.ajax({
|
||||
dataType: 'json',
|
||||
url: '/api/v1/get/syncjobs/' + mailcow_cc_username + '/no_log',
|
||||
url: '/api/v1/get/syncjobs/' + encodeURIComponent(mailcow_cc_username) + '/no_log',
|
||||
jsonp: false,
|
||||
error: function () {
|
||||
console.log('Cannot draw sync job table');
|
||||
},
|
||||
success: function (data) {
|
||||
$.each(data, function (i, item) {
|
||||
item.log = '<a href="#syncjobLogModal" data-toggle="modal" data-syncjob-id="' + encodeURI(item.id) + '">Open logs</a>'
|
||||
item.user1 = escapeHtml(item.user1);
|
||||
item.log = '<a href="#syncjobLogModal" data-toggle="modal" data-syncjob-id="' + item.id + '">Open logs</a>'
|
||||
if (!item.exclude > 0) {
|
||||
item.exclude = '-';
|
||||
} else {
|
||||
item.exclude = '<code>' + item.exclude + '</code>';
|
||||
item.exclude = '<code>' + escapeHtml(item.exclude) + '</code>';
|
||||
}
|
||||
item.server_w_port = item.user1 + '@' + item.host1 + ':' + item.port1;
|
||||
item.server_w_port = escapeHtml(item.user1 + '@' + item.host1 + ':' + item.port1);
|
||||
if (acl_data.syncjobs === 1) {
|
||||
item.action = '<div class="btn-group">' +
|
||||
'<a href="/edit.php?syncjob=' + item.id + '" class="btn btn-xs btn-default"><span class="glyphicon glyphicon-pencil"></span> ' + lang.edit + '</a>' +
|
||||
'<a href="#" id="delete_selected" data-id="single-syncjob" data-api-url="delete/syncjob" data-item="' + encodeURI(item.id) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
|
||||
'<a href="#" id="delete_selected" data-id="single-syncjob" data-api-url="delete/syncjob" data-item="' + item.id + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
|
||||
'</div>';
|
||||
item.chkbox = '<input type="checkbox" data-id="syncjob" name="multi_select" value="' + item.id + '" />';
|
||||
}
|
||||
@ -238,7 +240,7 @@ jQuery(function($){
|
||||
$('#user_sieve_filter').text(lang.loading);
|
||||
$.ajax({
|
||||
dataType: 'json',
|
||||
url: '/api/v1/get/active-user-sieve/' + mailcow_cc_username,
|
||||
url: '/api/v1/get/active-user-sieve/' + encodeURIComponent(mailcow_cc_username),
|
||||
jsonp: false,
|
||||
error: function () {
|
||||
console.log('Cannot get active sieve script');
|
||||
|
@ -164,21 +164,21 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
|
||||
|
||||
<button type="button" class="btn btn-sm btn-default <?=($get_tagging_options == "subfolder") ? 'active' : null; ?>"
|
||||
id="edit_selected"
|
||||
data-item="<?= $username; ?>"
|
||||
data-item="<?= htmlentities($username); ?>"
|
||||
data-id="delimiter_action"
|
||||
data-api-url='edit/delimiter_action'
|
||||
data-api-attr='{"tagged_mail_handler":"subfolder"}'><?=$lang['user']['tag_in_subfolder'];?></button>
|
||||
|
||||
<button type="button" class="btn btn-sm btn-default <?=($get_tagging_options == "subject") ? 'active' : null; ?>"
|
||||
id="edit_selected"
|
||||
data-item="<?= $username; ?>"
|
||||
data-item="<?= htmlentities($username); ?>"
|
||||
data-id="delimiter_action"
|
||||
data-api-url='edit/delimiter_action'
|
||||
data-api-attr='{"tagged_mail_handler":"subject"}'><?=$lang['user']['tag_in_subject'];?></button>
|
||||
|
||||
<button type="button" class="btn btn-sm btn-default <?=($get_tagging_options == "none") ? 'active' : null; ?>"
|
||||
id="edit_selected"
|
||||
data-item="<?= $username; ?>"
|
||||
data-item="<?= htmlentities($username); ?>"
|
||||
data-id="delimiter_action"
|
||||
data-api-url='edit/delimiter_action'
|
||||
data-api-attr='{"tagged_mail_handler":"none"}'><?=$lang['user']['tag_in_none'];?></button>
|
||||
@ -201,14 +201,14 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
|
||||
|
||||
<button type="button" class="btn btn-sm btn-default <?=($get_tls_policy['tls_enforce_in'] == "1") ? "active" : null;?>"
|
||||
id="edit_selected"
|
||||
data-item="<?= $username; ?>"
|
||||
data-item="<?= htmlentities($username); ?>"
|
||||
data-id="tls_policy"
|
||||
data-api-url='edit/tls_policy'
|
||||
data-api-attr='{"tls_enforce_in":<?=($get_tls_policy['tls_enforce_in'] == "1") ? "0" : "1";?>}'><?=$lang['user']['tls_enforce_in'];?></button>
|
||||
|
||||
<button type="button" class="btn btn-sm btn-default <?=($get_tls_policy['tls_enforce_out'] == "1") ? "active" : null;?>"
|
||||
id="edit_selected"
|
||||
data-item="<?= $username; ?>"
|
||||
data-item="<?= htmlentities($username); ?>"
|
||||
data-id="tls_policy"
|
||||
data-api-url='edit/tls_policy'
|
||||
data-api-attr='{"tls_enforce_out":<?=($get_tls_policy['tls_enforce_out'] == "1") ? "0" : "1";?>}'><?=$lang['user']['tls_enforce_out'];?></button>
|
||||
@ -225,7 +225,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
|
||||
<div class="row">
|
||||
<div class="col-md-3 col-xs-5 text-right"><?=$lang['user']['eas_reset'];?>:</div>
|
||||
<div class="col-md-9 col-xs-7">
|
||||
<button class="btn btn-xs btn-default" id="delete_selected" data-text="<?=$lang['user']['eas_reset'];?>?" data-item="<?= $username; ?>" data-id="eas_cache" data-api-url='delete/eas_cache' href="#"><?=$lang['user']['eas_reset_now'];?></button>
|
||||
<button class="btn btn-xs btn-default" id="delete_selected" data-text="<?=$lang['user']['eas_reset'];?>?" data-item="<?= htmlentities($username); ?>" data-id="eas_cache" data-api-url='delete/eas_cache' href="#"><?=$lang['user']['eas_reset_now'];?></button>
|
||||
<p class="help-block"><?=$lang['user']['eas_reset_help'];?></p>
|
||||
</div>
|
||||
</div>
|
||||
@ -315,7 +315,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
|
||||
<div class="form-group">
|
||||
<div class="col-sm-10">
|
||||
<button type="button" class="btn btn-sm btn-success" id="edit_selected"
|
||||
data-item="<?= $username; ?>"
|
||||
data-item="<?= htmlentities($username); ?>"
|
||||
data-id="spam_score"
|
||||
data-api-url='edit/spam-score'
|
||||
data-api-attr='{}'><?=$lang['user']['save_changes'];?></button>
|
||||
@ -346,7 +346,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
|
||||
<div class="input-group">
|
||||
<input type="text" class="form-control" name="object_from" id="object_from" placeholder="*@example.org" required>
|
||||
<span class="input-group-btn">
|
||||
<button class="btn btn-default" id="add_item" data-id="add_wl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":"<?= $username; ?>","object_list":"wl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
|
||||
<button class="btn btn-default" id="add_item" data-id="add_wl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":<?= json_encode($username); ?>,"object_list":"wl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
|
||||
</span>
|
||||
</div>
|
||||
</form>
|
||||
@ -372,10 +372,10 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
|
||||
<form class="form-inline" data-id="add_bl_policy_mailbox">
|
||||
<div class="input-group">
|
||||
<input type="text" class="form-control" name="object_from" id="object_from" placeholder="*@example.org" required>
|
||||
<input type="hidden" name="username" value="<?= $username ;?>">
|
||||
<input type="hidden" name="username" value="<?= htmlentities($username) ;?>">
|
||||
<input type="hidden" name="object_list" value="bl">
|
||||
<span class="input-group-btn">
|
||||
<button class="btn btn-default" id="add_item" data-id="add_bl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":"<?= $username; ?>","object_list":"bl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
|
||||
<button class="btn btn-default" id="add_item" data-id="add_bl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":<?= json_encode($username); ?>,"object_list":"bl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
|
||||
</span>
|
||||
</div>
|
||||
</form>
|
||||
|
Loading…
Reference in New Issue
Block a user