From 4289c24290aed4e2b045df9872fdc63867b9f3b3 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Tue, 06 Aug 2013 17:09:16 -0400
Subject: [PATCH] - Added checks if destination email belongs to user (email alias form and fetchmail/getmail form).

---
 interface/web/mail/mail_alias_edit.php |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php
index b7219d7..bb96a7e 100644
--- a/interface/web/mail/mail_alias_edit.php
+++ b/interface/web/mail/mail_alias_edit.php
@@ -98,6 +98,12 @@
 		$domain = $app->db->queryOneRecord("SELECT server_id, domain FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
 		if($domain["domain"] != $app->functions->idn_encode($_POST["email_domain"])) $app->tform->errorMessage .= $app->tform->wordbook["no_domain_perm"];
 		
+		//* Check if destination email belongs to user
+		if(isset($_POST["destination"])) {
+			$email = $app->db->queryOneRecord("SELECT email FROM mail_user WHERE email = '".$app->db->quote($app->functions->idn_encode($_POST["destination"]))."' AND ".$app->tform->getAuthSQL('r'));
+			if($email["email"] != $app->functions->idn_encode($_POST["destination"])) $app->tform->errorMessage .= $app->tform->lng("no_destination_perm");
+		}
+		
 		// Check the client limits, if user is not the admin
 		if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
 			// Get the limits of the client

--
Gitblit v1.9.1