From 4289c24290aed4e2b045df9872fdc63867b9f3b3 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Tue, 06 Aug 2013 17:09:16 -0400
Subject: [PATCH] - Added checks if destination email belongs to user (email alias form and fetchmail/getmail form).

---
 interface/web/mail/mail_alias_edit.php |    6 ++++++
 interface/lib/lang/en.lng              |    1 +
 interface/web/mail/mail_get_edit.php   |    6 ++++++
 interface/lib/lang/de.lng              |    1 +
 4 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/interface/lib/lang/de.lng b/interface/lib/lang/de.lng
index e005485..2c5f462 100644
--- a/interface/lib/lang/de.lng
+++ b/interface/lib/lang/de.lng
@@ -132,4 +132,5 @@
 $wb['datalog_status_d_web_folder_user'] = 'Verzeichnisschutz Benutzer löschen';
 $wb['login_as_txt'] = 'Anmelden als';
 $wb["no_domain_perm"] = 'Sie haben keine Berechtigung für diese Domain.';
+$wb["no_destination_perm"] = 'Sie haben keine Berechtigung für dieses Ziel.';
 ?>
diff --git a/interface/lib/lang/en.lng b/interface/lib/lang/en.lng
index ccda5b7..47b6115 100644
--- a/interface/lib/lang/en.lng
+++ b/interface/lib/lang/en.lng
@@ -134,4 +134,5 @@
 
 $wb['login_as_txt'] = 'Log in as';
 $wb["no_domain_perm"] = 'You have no permission for this domain.';
+$wb["no_destination_perm"] = 'You have no permission for this destination.';
 ?>
diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php
index b7219d7..bb96a7e 100644
--- a/interface/web/mail/mail_alias_edit.php
+++ b/interface/web/mail/mail_alias_edit.php
@@ -98,6 +98,12 @@
 		$domain = $app->db->queryOneRecord("SELECT server_id, domain FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
 		if($domain["domain"] != $app->functions->idn_encode($_POST["email_domain"])) $app->tform->errorMessage .= $app->tform->wordbook["no_domain_perm"];
 		
+		//* Check if destination email belongs to user
+		if(isset($_POST["destination"])) {
+			$email = $app->db->queryOneRecord("SELECT email FROM mail_user WHERE email = '".$app->db->quote($app->functions->idn_encode($_POST["destination"]))."' AND ".$app->tform->getAuthSQL('r'));
+			if($email["email"] != $app->functions->idn_encode($_POST["destination"])) $app->tform->errorMessage .= $app->tform->lng("no_destination_perm");
+		}
+		
 		// Check the client limits, if user is not the admin
 		if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
 			// Get the limits of the client
diff --git a/interface/web/mail/mail_get_edit.php b/interface/web/mail/mail_get_edit.php
index 41434c0..cd7741b 100644
--- a/interface/web/mail/mail_get_edit.php
+++ b/interface/web/mail/mail_get_edit.php
@@ -69,6 +69,12 @@
 	function onSubmit() {
 		global $app, $conf;
 		
+		//* Check if destination email belongs to user
+		if(isset($_POST["destination"])) {
+			$email = $app->db->queryOneRecord("SELECT email FROM mail_user WHERE email = '".$app->db->quote($app->functions->idn_encode($_POST["destination"]))."' AND ".$app->tform->getAuthSQL('r'));
+			if($email["email"] != $app->functions->idn_encode($_POST["destination"])) $app->tform->errorMessage .= $app->tform->lng("no_destination_perm");
+		}
+		
 		// Check the client limits, if user is not the admin
 		if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
 			// Get the limits of the client

--
Gitblit v1.9.1