[Web] Do not allow to add domain admin for non existing domain

[Web] oAuth2 implementation (wip)
2019-10-02 19:00:36 +02:00
parent 9f66b83a34
commit 1c35002505
20 changed files with 478 additions and 119 deletions
--- a/data/web/inc/functions.domain_admin.inc.php
+++ b/data/web/inc/functions.domain_admin.inc.php
@@ -83,15 +83,17 @@ function domain_admin($_action, $_data = null) {
          return false;
        }
        $password_hashed = hash_password($password);
+        $valid_domains = 0;
        foreach ($domains as $domain) {
-          if (!is_valid_domain_name($domain)) {
+          if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
            $_SESSION['return'][] = array(
              'type' => 'danger',
              'log' => array(__FUNCTION__, $_action, $_data_log),
-              'msg' => 'domain_invalid'
+              'msg' => array('domain_invalid', htmlspecialchars($domain))
            );
-            return false;
+            continue;
          }
+          $valid_domains++;
          $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
              VALUES (:username, :domain, :created, :active)");
          $stmt->execute(array(
@@ -101,13 +103,15 @@ function domain_admin($_action, $_data = null) {
            ':active' => $active
          ));
        }
-        $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
-          VALUES (:username, :password_hashed, '0', :active)");
-        $stmt->execute(array(
-          ':username' => $username,
-          ':password_hashed' => $password_hashed,
-          ':active' => $active
-        ));
+        if ($valid_domains != 0) {
+          $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
+            VALUES (:username, :password_hashed, '0', :active)");
+          $stmt->execute(array(
+            ':username' => $username,
+            ':password_hashed' => $password_hashed,
+            ':active' => $active
+          ));
+        }
      }
      else {
        $_SESSION['return'][] = array(
@@ -117,15 +121,17 @@ function domain_admin($_action, $_data = null) {
        );
        return false;
      }
-      $stmt = $pdo->prepare("INSERT INTO `da_acl` (`username`) VALUES (:username)");
-      $stmt->execute(array(
-        ':username' => $username
-      ));
-      $_SESSION['return'][] = array(
-        'type' => 'success',
-        'log' => array(__FUNCTION__, $_action, $_data_log),
-        'msg' => array('domain_admin_added', htmlspecialchars($username))
-      );
+      if ($valid_domains != 0) {
+        $stmt = $pdo->prepare("INSERT INTO `da_acl` (`username`) VALUES (:username)");
+        $stmt->execute(array(
+          ':username' => $username
+        ));
+        $_SESSION['return'][] = array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => array('domain_admin_added', htmlspecialchars($username))
+        );
+      }
    break;
    case 'edit':
      if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
@@ -165,7 +171,7 @@ function domain_admin($_action, $_data = null) {
          $password2    = $_data['password2'];
          if (!empty($domains)) {
            foreach ($domains as $domain) {
-              if (!is_valid_domain_name($domain)) {
+              if (!is_valid_domain_name($domain) || mailbox('get', 'domain_details', $domain) === false) {
                $_SESSION['return'][] = array(
                  'type' => 'danger',
                  'log' => array(__FUNCTION__, $_action, $_data_log),