From ecebfe15dfa6079c3e1e8af05945e4d86ef5b8db Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 19 Apr 2020 14:41:55 +0200 Subject: [PATCH] [Web] Remove External as standard subfolder for sync jobs [Web] Disallow a domain admin to set intersecting user ACLs [Web] Allow Pushover and SOGo EAS cache reset by default, disallow profile reset by default --- data/web/inc/functions.acl.inc.php | 10 ++++++++++ data/web/inc/init_db.inc.php | 8 ++++---- data/web/modals/mailbox.php | 2 +- data/web/modals/user.php | 2 +- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/data/web/inc/functions.acl.inc.php b/data/web/inc/functions.acl.inc.php index b2fbd766..ffce9f44 100644 --- a/data/web/inc/functions.acl.inc.php +++ b/data/web/inc/functions.acl.inc.php @@ -136,6 +136,16 @@ function acl($_action, $_scope = null, $_data = null) { $stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username"); $stmt->execute(array(':username' => $_data)); $data = $stmt->fetch(PDO::FETCH_ASSOC); + if ($_SESSION['mailcow_cc_role'] == 'domainadmin') { + // Domain admins cannot see, add or remove user ACLs they don't have access to by themselves + // Editing a user will use acl("get", "user") to determine granted ACLs and therefore block unallowed access escalation via form editing + $self_da_acl = acl('get', 'domainadmin', $_SESSION['mailcow_cc_username']); + foreach ($self_da_acl as $self_da_acl_key => $self_da_acl_val) { + if ($self_da_acl_val == 0) { + unset($data[$self_da_acl_key]); + } + } + } if (!empty($data)) { unset($data['username']); return $data; diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php index 3506c97d..e8f47111 100644 --- a/data/web/inc/init_db.inc.php +++ b/data/web/inc/init_db.inc.php @@ -3,7 +3,7 @@ function init_db_schema() { try { global $pdo; - $db_version = "16042020_2104"; + $db_version = "19042020_1437"; $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC)); @@ -372,9 +372,9 @@ function init_db_schema() { "spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'", "delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'", "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'", - "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '0'", - "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '1'", - "pushover" => "TINYINT(1) NOT NULL DEFAULT '0'", + "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'", + "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '0'", + "pushover" => "TINYINT(1) NOT NULL DEFAULT '1'", // quarantine is for quarantine actions, todo: rename "quarantine" => "TINYINT(1) NOT NULL DEFAULT '1'", "quarantine_attachments" => "TINYINT(1) NOT NULL DEFAULT '1'", diff --git a/data/web/modals/mailbox.php b/data/web/modals/mailbox.php index b3f4b8a5..2e00a273 100644 --- a/data/web/modals/mailbox.php +++ b/data/web/modals/mailbox.php @@ -448,7 +448,7 @@ if (!isset($_SESSION['mailcow_cc_role'])) {
- +
diff --git a/data/web/modals/user.php b/data/web/modals/user.php index 90e50a68..d61d5faf 100644 --- a/data/web/modals/user.php +++ b/data/web/modals/user.php @@ -60,7 +60,7 @@ if (!isset($_SESSION['mailcow_cc_role'])) {
- +