7x31/mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Web] Remove External as standard subfolder for sync jobs

Browse Source 
[Web] Disallow a domain admin to set intersecting user ACLs
[Web] Allow Pushover and SOGo EAS cache reset by default, disallow profile reset by default
This commit is contained in:
andryyy
2020-04-19 14:41:55 +02:00
parent ccf65fb50f
commit ecebfe15df
4 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
data/web/inc/functions.acl.inc.php
View File

@@ -136,6 +136,16 @@ function acl($_action, $_scope = null, $_data = null) {
$stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");
$stmt->execute(array(':username' => $_data));
$data = $stmt->fetch(PDO::FETCH_ASSOC);
if ($_SESSION['mailcow_cc_role'] == 'domainadmin') {
// Domain admins cannot see, add or remove user ACLs they don't have access to by themselves
// Editing a user will use acl("get", "user") to determine granted ACLs and therefore block unallowed access escalation via form editing
$self_da_acl = acl('get', 'domainadmin', $_SESSION['mailcow_cc_username']);
foreach ($self_da_acl as $self_da_acl_key => $self_da_acl_val) {
if ($self_da_acl_val == 0) {
unset($data[$self_da_acl_key]);
}
}
}
if (!empty($data)) {
unset($data['username']);
return $data;