list-virtual.php

- add in_array check to avoid that superadmins can enter invalid domains
- the check_owner check is probably obsolete after this change. I left it
  in (with a clear message) until I'm 100% sure that it's really unneeded.
- move sticky domain code below error checking - the session should only
  include valid domains ;-)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@779 a1433add-5e2c-0410-b055-b7f2511e0802

list-virtual.php

@@ -62,12 +62,6 @@ else
    $search = escape_string(safepost('search'));
 }
 
-// store fDomain in $_SESSION so after adding/editing aliases/mailboxes we can
-// take the user back to the appropriate domain listing. (see templates/menu.php)
-if($fDomain) {
-    $_SESSION['list_virtual_sticky_domain'] = $fDomain;
-}
-
 if (count($list_domains) == 0) {
 #   die("no domains");
    flash_error( $PALANG['invalid_parameter'] );
@@ -77,13 +71,24 @@ if (count($list_domains) == 0) {
 
 if ((is_array ($list_domains) and sizeof ($list_domains) > 0)) if (empty ($fDomain)) $fDomain = $list_domains[0];
 
-if (!check_owner(authentication_get_username(), $fDomain)) {
-#   die($PALANG['invalid_parameter']);
+if(!in_array($fDomain, $list_domains)) {
    flash_error( $PALANG['invalid_parameter'] );
+   header("Location: list-domain.php"); # invalid domain, or not owned by this admin
+   exit;
+}
+
+if (!check_owner(authentication_get_username(), $fDomain)) { 
+   flash_error( $PALANG['invalid_parameter'] . " If you see this message, please open a bugreport"); # this check is most probably obsoleted by the in_array() check above
    header("Location: list-domain.php"); # domain not owned by this admin
    exit(0);
 }
 
+// store fDomain in $_SESSION so after adding/editing aliases/mailboxes we can
+// take the user back to the appropriate domain listing. (see templates/menu.php)
+if($fDomain) {
+    $_SESSION['list_virtual_sticky_domain'] = $fDomain;
+}
+
 #
 # alias domain
 #