From 1033c950fa3a3066ed9308dad6a04f3374d4eb48 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 21 Aug 2011 21:28:13 +0000 Subject: [PATCH] vacation.php: - split off $fDomain from ?username= (admin mode) - basic sanity check for ?username= (admin mode) - urlencode $fDomain for $Return_url (admin mode) - don't split off domain from username in users mode (not needed) - added various TODO notes - some whitespace fixes near the end of the file (2*3 lines) list-virtual_mailbox.tpl - don't include domain in link to vacation.php (no longer needed) git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1172 a1433add-5e2c-0410-b055-b7f2511e0802 --- templates/list-virtual_mailbox.tpl | 2 +- vacation.php | 31 +++++++++++++++--------------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/templates/list-virtual_mailbox.tpl b/templates/list-virtual_mailbox.tpl index a47ba079..99651eca 100644 --- a/templates/list-virtual_mailbox.tpl +++ b/templates/list-virtual_mailbox.tpl @@ -74,7 +74,7 @@ {else} {assign var="v_active" value=$PALANG.pOverview_vacation_option} {/if} - {$v_active} + {$v_active} {/if} {else}   diff --git a/vacation.php b/vacation.php index f49a4a4c..aa4ea48f 100644 --- a/vacation.php +++ b/vacation.php @@ -38,25 +38,25 @@ require_once('common.php'); -$SESSID_USERNAME = authentication_get_username(); -$tmp = preg_split ('/@/', $SESSID_USERNAME); -$USERID_DOMAIN = $tmp[1]; - // only allow admins to change someone else's 'stuff' if(authentication_has_role('admin')) { $Admin_role = 1 ; + $fUsername = safeget('username'); + list(/*NULL*/,$fDomain) = explode('@',$fUsername); + $Return_url = "list-virtual.php?domain=" . urlencode($fDomain); - if (isset($_GET['username'])) $fUsername = escape_string ($_GET['username']); - if (isset($_GET['domain'])) $fDomain = escape_string ($_GET['domain']); - $Return_url = "list-virtual.php?domain=$fDomain"; + # TODO: better check for valid username (check if mailbox exists) + # TODO: (should be done in VacationHandler) + if ($fDomain == '' || !check_owner(authentication_get_username(), $fDomain)) { + die("Invalid username!"); # TODO: better error message + } } else { $Admin_role = 0 ; # $Return_url = "users/main.php"; $Return_url = "main.php"; authentication_require_role('user'); - $fUsername = $SESSID_USERNAME; - $fDomain = $USERID_DOMAIN; + $fUsername = authentication_get_username(); } // is vacation support enabled in $CONF ? @@ -86,6 +86,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") { } if($vh->check_vacation() and (!$Admin_role)) { + # TODO: would also be useful for admins, but needs a text change to include the username flash_info($PALANG['pUsersVacation_welcome_text']); } @@ -141,14 +142,14 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") // If NO error then diplay flash message and go back to right url where we came from if($error == 0) { if(!empty ($fBack)) { - flash_info(sprintf($PALANG['pVacation_result_removed'],$tUseremail)); - header ("Location: $Return_url"); - exit; + flash_info(sprintf($PALANG['pVacation_result_removed'],htmlentities($tUseremail))); + header ("Location: $Return_url"); + exit; } if(!empty($fChange)) { - flash_info(sprintf($PALANG['pVacation_result_added'],$tUseremail)); - header ("Location: $Return_url"); - exit; + flash_info(sprintf($PALANG['pVacation_result_added'],htmlentities($tUseremail))); + header ("Location: $Return_url"); + exit; } } else {