[Web] Various fixes for app passwd functions

2019-12-21 22:25:09 +01:00 · 2019-12-21 22:25:09 +01:00 · aece2558df
commit aece2558df
parent 0b224d1e07
2 changed files with 46 additions and 56 deletions
--- a/data/web/inc/functions.app_passwd.inc.php
+++ b/data/web/inc/functions.app_passwd.inc.php
@ -59,7 +59,6 @@ function app_passwd($_action, $_data = null) {
        );
        return false;
      }
-      try {
      $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`)
        VALUES (:app_name, :mailbox, :domain, :password, :active)");
      $stmt->execute(array(
@ -69,15 +68,6 @@ function app_passwd($_action, $_data = null) {
        ':password' => $password_hashed,
        ':active' => $active
      ));
-      }
-      catch (PDOException $e) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('mysql_error', $e)
-        );
-        return false;
-      }
      $_SESSION['return'][] = array(
        'type' => 'success',
        'log' => array(__FUNCTION__, $_action, $_data_log),
@ -130,7 +120,6 @@ function app_passwd($_action, $_data = null) {
            ':id' => $id
          ));
        }
-        try {
        $stmt = $pdo->prepare("UPDATE `app_passwd` SET
          `name` = :app_name,
          `mailbox` = :username,
@ -142,15 +131,6 @@ function app_passwd($_action, $_data = null) {
          ':active' => $active,
          ':id' => $id
        ));
-        }
-        catch (PDOException $e) {
-          $_SESSION['return'][] = array(
-            'type' => 'danger',
-            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('mysql_error', $e)
-          );
-          continue;
-        }
        $_SESSION['return'][] = array(
          'type' => 'success',
          'log' => array(__FUNCTION__, $_action, $_data_log),
@ -161,18 +141,27 @@ function app_passwd($_action, $_data = null) {
    case 'delete':
      $ids = (array)$_data['id'];
      foreach ($ids as $id) {
-        try {
-          $stmt = $pdo->prepare("DELETE FROM `app_passwd` WHERE `id`= :id AND `mailbox`= :username");
-          $stmt->execute(array(':id' => $id, ':username' => $username));
-        }
-        catch (PDOException $e) {
+        $stmt = $pdo->prepare("SELECT `mailbox` FROM `app_passwd` WHERE `id` = :id");
+        $stmt->execute(array(':id' => $id));
+        $mailbox = $stmt->fetch(PDO::FETCH_ASSOC)['mailbox'];
+        if (empty($mailbox)) {
          $_SESSION['return'][] = array(
            'type' => 'danger',
            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('mysql_error', $e)
+            'msg' => 'app_passwd_id_invalid'
          );
          return false;
        }
+        if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $mailbox)) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => 'access_denied'
+          );
+          return false;
+        }
+        $stmt = $pdo->prepare("DELETE FROM `app_passwd` WHERE `id`= :id");
+        $stmt->execute(array(':id' => $id));
        $_SESSION['return'][] = array(
          'type' => 'success',
          'log' => array(__FUNCTION__, $_action, $_data_log),
@ -198,10 +187,16 @@ function app_passwd($_action, $_data = null) {
        `active` AS `active_int`,
        CASE `active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `active`
          FROM `app_passwd`
-            WHERE `id` = :id
-              AND `mailbox` = :username");
-      $stmt->execute(array(':id' => $_data['id'], ':username' => $username));
+            WHERE `id` = :id");
+      $stmt->execute(array(':id' => $_data['id']));
      $app_passwd_data = $stmt->fetch(PDO::FETCH_ASSOC);
+      if (empty($app_passwd_data)) {
+        return false;
+      }
+      if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $app_passwd_data['mailbox'])) {
+        $app_passwd_data = array();
+        return false;
+      }
      return $app_passwd_data;
    break;
  }
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@ -296,12 +296,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
                }
                if (!empty($app_passwds)) {
                  foreach ($app_passwds as $app_passwd) {
-                    if (empty($extra)) {
                    $details = app_passwd('details', array('id' => $app_passwd['id']));
-                    }
-                    else {
-                      $details = app_passwd('details', array('id' => $app_passwd['id'], 'username' => $extra));
-                    }
                    if ($details !== false) {
                      $data[] = $details;
                    }
@ -317,7 +312,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
              break;

              default:
-                $data = app_passwd('details', array('id' => $object));
+                $data = app_passwd('details', array('id' => $object['id']));
                process_get_return($data);
              break;
            }