[Web] Started work on ACL, fix notifications

data/web/inc/footer.inc.php

@@ -18,7 +18,8 @@ function setLang(sel) {
 
 $(document).ready(function() {
   function mailcow_alert_box(message, type) {
-    $.notify({message: message},{type: type,placement: {from: "bottom",align: "right"},animate: {enter: 'animated fadeInUp',exit: 'animated fadeOutDown'}});
+    msg = $('<span/>').html(message).text();
+    $.notify({message: msg},{type: type,placement: {from: "bottom",align: "right"},animate: {enter: 'animated fadeInUp',exit: 'animated fadeOutDown'}});
   }
   <?php if (isset($_SESSION['return'])): ?>
   mailcow_alert_box("<?= $_SESSION['return']['msg']; ?>",  "<?= $_SESSION['return']['type']; ?>");

data/web/inc/functions.inc.php

@@ -218,6 +218,23 @@ function check_login($user, $pass) {
 	}
 	sleep($_SESSION['ldelay']);
 }
+function set_acl() {
+	global $pdo;
+	if (!isset($_SESSION['mailcow_cc_username'])) {
+		return false;
+	}
+	$username = strtolower(trim($_SESSION['mailcow_cc_username']));
+	$stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");
+	$stmt->execute(array(':username' => $username));
+	$acl['acl'] = $stmt->fetch(PDO::FETCH_ASSOC);
+  unset($acl['acl']['username']);
+  if (!empty($acl)) {
+    $_SESSION = array_merge($_SESSION, $acl);
+  }
+  else {
+    return false;
+  }
+}
 function formatBytes($size, $precision = 2) {
 	if(!is_numeric($size)) {
 		return "0";

data/web/inc/functions.mailbox.inc.php

@@ -7,6 +7,13 @@ function mailbox($_action, $_type, $_data = null) {
     case 'add':
       switch ($_type) {
         case 'time_limited_alias':
+          if (!isset($_SESSION['acl']['spam_alias']) || $_SESSION['acl']['spam_alias'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) {
             if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) {
               $_SESSION['return'] = array(
@@ -66,6 +73,13 @@ function mailbox($_action, $_type, $_data = null) {
           );
         break;
         case 'syncjob':
+          if (!isset($_SESSION['acl']['syncjobs']) || $_SESSION['acl']['syncjobs'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           if (isset($_data['username']) && filter_var($_data['username'], FILTER_VALIDATE_EMAIL)) {
             if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data['username'])) {
               $_SESSION['return'] = array(
@@ -743,6 +757,10 @@ function mailbox($_action, $_type, $_data = null) {
               ':domain' => $domain,
               ':active' => $active
             ));
+            $stmt = $pdo->prepare("INSERT INTO `user_acl` (`username`) VALUES (:username)");
+            $stmt->execute(array(
+              ':username' => $username
+            ));
             $_SESSION['return'] = array(
               'type' => 'success',
               'msg' => sprintf($lang['success']['mailbox_added'], htmlspecialchars($username))
@@ -949,6 +967,13 @@ function mailbox($_action, $_type, $_data = null) {
           else {
             $usernames = $_data['username'];
           }
+          if (!isset($_SESSION['acl']['tls_policy']) || $_SESSION['acl']['tls_policy'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($usernames as $username) {
             if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
               $_SESSION['return'] = array(
@@ -998,6 +1023,13 @@ function mailbox($_action, $_type, $_data = null) {
           else {
             $usernames = $_data['username'];
           }
+          if (!isset($_SESSION['acl']['spam_score']) || $_SESSION['acl']['spam_score'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($usernames as $username) {
             $lowspamlevel	= explode(',', $_data['spam_score'])[0];
             $highspamlevel	= explode(',', $_data['spam_score'])[1];
@@ -1046,6 +1078,13 @@ function mailbox($_action, $_type, $_data = null) {
           );
         break;
         case 'time_limited_alias':
+          if (!isset($_SESSION['acl']['spam_alias']) || $_SESSION['acl']['spam_alias'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           if (!is_array($_data['address'])) {
             $addresses = array();
             $addresses[] = $_data['address'];
@@ -1103,6 +1142,13 @@ function mailbox($_action, $_type, $_data = null) {
           else {
             $usernames = $_data['username'];
           }
+          if (!isset($_SESSION['acl']['delimiter_action']) || $_SESSION['acl']['delimiter_action'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($usernames as $username) {
             if (!filter_var($username, FILTER_VALIDATE_EMAIL) || !hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
               $_SESSION['return'] = array(
@@ -1206,6 +1252,13 @@ function mailbox($_action, $_type, $_data = null) {
           else {
             $ids = $_data['id'];
           }
+          if (!isset($_SESSION['acl']['syncjobs']) || $_SESSION['acl']['syncjobs'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($ids as $id) {
             $is_now = mailbox('get', 'syncjob_details', $id);
             if (!empty($is_now)) {
@@ -2677,6 +2730,13 @@ function mailbox($_action, $_type, $_data = null) {
           else {
             $ids = $_data['id'];
           }
+          if (!isset($_SESSION['acl']['syncjobs']) || $_SESSION['acl']['syncjobs'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($ids as $id) {
             if (!is_numeric($id)) {
               $_SESSION['return'] = array(
@@ -2721,6 +2781,13 @@ function mailbox($_action, $_type, $_data = null) {
           else {
             $addresses = $_data['address'];
           }
+          if (!isset($_SESSION['acl']['spam_alias']) || $_SESSION['acl']['spam_alias'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($addresses as $address) {
             try {
               $stmt = $pdo->prepare("SELECT `goto` FROM `spamalias` WHERE `address` = :address");
@@ -2769,6 +2836,13 @@ function mailbox($_action, $_type, $_data = null) {
           else {
             $usernames = $_data['username'];
           }
+          if (!isset($_SESSION['acl']['eas_reset']) || $_SESSION['acl']['eas_reset'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($usernames as $username) {
             if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
               $_SESSION['return'] = array(

data/web/inc/functions.policy.inc.php

@@ -1,5 +1,4 @@
 <?php
-
 function policy($_action, $_scope, $_data = null) {
 	global $pdo;
 	global $redis;
@@ -99,6 +98,13 @@ function policy($_action, $_scope, $_data = null) {
             );
             return false;
           }
+          if (!isset($_SESSION['acl']['spam_policy']) || $_SESSION['acl']['spam_policy'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           if ($_data['object_list'] == "bl") {
             $object_list = "blacklist_from";
           }
@@ -233,6 +239,13 @@ function policy($_action, $_scope, $_data = null) {
           else {
             $prefids = $_data['prefid'];
           }
+          if (!isset($_SESSION['acl']['spam_policy']) || $_SESSION['acl']['spam_policy'] != "1" ) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
           foreach ($prefids as $prefid) {
             if (!is_numeric($prefid)) {
               $_SESSION['return'] = array(

data/web/inc/init_db.inc.php

@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "20072107_1029";
+    $db_version = "02082017_0938";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); 
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -127,6 +127,30 @@ function init_db_schema() {
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "user_acl" => array(
+        "cols" => array(
+          "username" => "VARCHAR(255) NOT NULL",
+          "spam_alias" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "tls_policy" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "spam_score" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "eas_autoconfig" => "TINYINT(1) NOT NULL DEFAULT '1'"
+        ),
+        "keys" => array(
+          "fkey" => array(
+            "fk_username" => array(
+              "col" => "username",
+              "ref" => "mailbox.username",
+              "delete" => "CASCADE",
+              "update" => "NO ACTION"
+            )
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
       "alias_domain" => array(
         "cols" => array(
           "alias_domain" => "VARCHAR(255) NOT NULL",
@@ -511,6 +535,19 @@ function init_db_schema() {
               $pdo->query("ALTER TABLE `" . $table . "` " . $is_drop . "ADD UNIQUE KEY `" . $key_name . "` (" . $fields . ")");
             }
           }
+          if (strtolower($key_type) == 'fkey') {
+            foreach ($key_content as $key_name => $key_values) {
+              $fields = "`" . implode("`, `", $key_values) . "`";
+              $stmt = $pdo->query("SHOW KEYS FROM `" . $table . "` WHERE Key_name = '" . $key_name . "'"); 
+              $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+              if ($num_results != 0) {
+                $pdo->query("ALTER TABLE `" . $table . "` DROP FOREIGN KEY `" . $key_name . "`");
+              }
+              @list($table_ref, $field_ref) = explode('.', $key_values['ref']);
+              $pdo->query("ALTER TABLE `" . $table . "` ADD FOREIGN KEY `" . $key_name . "` (" . $key_values['col'] . ") REFERENCES `" . $table_ref . "` (`" . $field_ref . "`)
+                ON DELETE " . $key_values['delete'] . " ON UPDATE " . $key_values['update']);
+            }
+          }
         }
         // Drop all vanished columns
         $stmt = $pdo->query("SHOW COLUMNS FROM `" . $table . "`"); 
@@ -535,10 +572,21 @@ function init_db_schema() {
              $keys_to_exist[] = $key_name;
           }
         }
+        // Index for foreign key must exist
+        if (isset($properties['keys']['fkey']) && is_array($properties['keys']['fkey'])) {
+          foreach ($properties['keys']['fkey'] as $key_name => $key_values) {
+             $keys_to_exist[] = $key_name;
+          }
+        }
         // Step 2: Drop all vanished indexes
         while ($row = array_shift($keys_in_table)) {
           if (!in_array($row['Key_name'], $keys_to_exist)) {
-            $pdo->query("ALTER TABLE `" . $table . "` DROP INDEX `" . $row['Key_name'] . "`");
+            try {
+              $pdo->query("ALTER TABLE `" . $table . "` DROP FOREIGN KEY `" . $row['Key_name'] . "`");
+            }
+            finally {
+              $pdo->query("ALTER TABLE `" . $table . "` DROP INDEX `" . $row['Key_name'] . "`");
+            }
           }
         }
         // Step 3: Drop all vanished primary keys
@@ -575,6 +623,14 @@ function init_db_schema() {
               $sql .= "UNIQUE KEY `" . $key_name . "` (" . $fields . ")" . ",";
             }
           }
+          elseif (strtolower($key_type) == 'fkey') {
+            foreach ($key_content as $key_name => $key_values) {
+              @list($table_ref, $field_ref) = explode('.', $key_values['ref']);
+              $fields = "`" . implode("`, `", $key_values) . "`";
+              $sql .= "FOREIGN KEY `" . $key_name . "` (" . $key_values['col'] . ") REFERENCES `" . $table_ref . "` (`" . $field_ref . "`)
+                ON DELETE " . $key_values['delete'] . " ON UPDATE " . $key_values['update'] . ",";
+            }
+          }
         }
         $sql = rtrim($sql, ",");
         $sql .= ") " . $properties['attr'];
@@ -606,6 +662,9 @@ function init_db_schema() {
       'type' => 'success',
       'msg' => 'Database initialisation completed'
     );
+
+    // Fix user_acl
+    $stmt = $pdo->query("INSERT INTO `user_acl` (`username`) SELECT `username` FROM `mailbox` WHERE `kind` = '' AND NOT EXISTS (SELECT `username` FROM `user_acl`);");
   }
   catch (PDOException $e) {
     $_SESSION['return'] = array(

data/web/inc/prerequisites.inc.php

@@ -70,3 +70,6 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.fail2ban.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/init_db.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.inc.php';
 init_db_schema();
+if (isset($_SESSION['mailcow_cc_role'])) {
+  set_acl();
+}

data/web/js/user.js

@@ -34,6 +34,8 @@ jQuery(function($){
     var date = new Date(tm ? tm * 1000 : 0);
     return date.toLocaleString();
   }
+  acl_data = JSON.parse(acl);
+
   function draw_tla_table() {
     ft_tla_table = FooTable.init('#tla_table', {
       "columns": [
@@ -52,10 +54,16 @@ jQuery(function($){
         },
         success: function (data) {
           $.each(data, function (i, item) {
-            item.action = '<div class="btn-group">' +
-              '<a href="#" id="delete_selected" data-id="single-tla" data-api-url="delete/time_limited_alias" data-item="' + encodeURI(item.address) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
-              '</div>';
-            item.chkbox = '<input type="checkbox" data-id="tla" name="multi_select" value="' + item.address + '" />';
+            if (acl_data.spam_alias === 1) {
+              item.action = '<div class="btn-group">' +
+                '<a href="#" id="delete_selected" data-id="single-tla" data-api-url="delete/time_limited_alias" data-item="' + encodeURI(item.address) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
+                '</div>';
+              item.chkbox = '<input type="checkbox" data-id="tla" name="multi_select" value="' + item.address + '" />';
+            }
+            else {
+              item.chkbox = '<input type="checkbox" disabled />';
+              item.action = '<span>-</span>';
+            }
           });
         }
       }),
@@ -97,11 +105,17 @@ jQuery(function($){
             item.log = '<a href="#logModal" data-toggle="modal" data-log-text="' + escapeHtml(item.returned_text) + '">Open logs</a>'
             item.exclude = '<code>' + item.exclude + '</code>'
             item.server_w_port = item.user1 + '@' + item.host1 + ':' + item.port1;
-            item.action = '<div class="btn-group">' +
-              '<a href="/edit.php?syncjob=' + item.id + '" class="btn btn-xs btn-default"><span class="glyphicon glyphicon-pencil"></span> ' + lang.edit + '</a>' +
-              '<a href="#" id="delete_selected" data-id="single-syncjob" data-api-url="delete/syncjob" data-item="' + encodeURI(item.id) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
-              '</div>';
-            item.chkbox = '<input type="checkbox" data-id="syncjob" name="multi_select" value="' + item.id + '" />';
+            if (acl_data.syncjobs === 1) {
+              item.action = '<div class="btn-group">' +
+                '<a href="/edit.php?syncjob=' + item.id + '" class="btn btn-xs btn-default"><span class="glyphicon glyphicon-pencil"></span> ' + lang.edit + '</a>' +
+                '<a href="#" id="delete_selected" data-id="single-syncjob" data-api-url="delete/syncjob" data-item="' + encodeURI(item.id) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
+                '</div>';
+              item.chkbox = '<input type="checkbox" data-id="syncjob" name="multi_select" value="' + item.id + '" />';
+            }
+            else {
+              item.action = '<span>-</span>';
+              item.chkbox = '<input type="checkbox" disabled />';
+            }
           });
         }
       }),
@@ -139,6 +153,9 @@ jQuery(function($){
             else {
               item.chkbox = '<input type="checkbox" disabled title="' + lang.spamfilter_table_domain_policy + '" />';
             }
+            if (acl_data.spam_policy === 0) {
+              item.chkbox = '<input type="checkbox" disabled />';
+            }
           });
         }
       }),
@@ -176,6 +193,9 @@ jQuery(function($){
             else {
               item.chkbox = '<input type="checkbox" disabled tooltip="' + lang.spamfilter_table_domain_policy + '" />';
             }
+            if (acl_data.spam_policy === 0) {
+              item.chkbox = '<input type="checkbox" disabled />';
+            }
           });
         }
       }),

data/web/user.php

@@ -78,7 +78,8 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
   </div>
   <hr>
   <?php // Get user information about aliases
-  $user_get_alias_details = user_get_alias_details($username);?>
+  $user_get_alias_details = user_get_alias_details($username);
+  ?>
   <div class="row">
     <div class="col-md-3 col-xs-5 text-right"><?=$lang['user']['aliases'];?>:</div>
     <div class="col-md-9 col-xs-7">
@@ -121,9 +122,12 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
       <p><?=formatBytes($mailboxdata['quota_used'], 2);?> / <?=formatBytes($mailboxdata['quota'], 2);?>, <?=$mailboxdata['messages'];?> <?=$lang['user']['messages'];?></p>
     </div>
   </div>
-  <hr>
-  <?php // Show tagging options ?>
-  <?php $get_tagging_options = mailbox('get', 'delimiter_action', $username);?>
+  <?php
+  ($_SESSION['acl']['delimiter_action'] == 0 && $_SESSION['acl']['delimiter_action'] == 0 && $_SESSION['acl']['delimiter_action'] == 0) ? null : '<hr>';
+  // Show tagging options
+  if ($_SESSION['acl']['delimiter_action'] == 1):
+  $get_tagging_options = mailbox('get', 'delimiter_action', $username);
+  ?>
   <div class="row">
     <div class="col-md-3 col-xs-5 text-right"><?=$lang['user']['tag_handling'];?>:</div>
     <div class="col-md-9 col-xs-7">
@@ -148,8 +152,12 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
     <p class="help-block"><?=$lang['user']['tag_help_example'];?></p>
     </div>
   </div>
-  <?php // Show TLS policy options ?>
-  <?php $get_tls_policy = mailbox('get', 'tls_policy', $username); ?>
+  <?php
+  endif;
+  // Show TLS policy options
+  if ($_SESSION['acl']['tls_policy'] == 1):
+  $get_tls_policy = mailbox('get', 'tls_policy', $username);
+  ?>
   <div class="row">
     <div class="col-md-3 col-xs-5 text-right"><?=$lang['user']['tls_policy'];?>:</div>
     <div class="col-md-9 col-xs-7">
@@ -173,7 +181,11 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
     <p class="help-block"><?=$lang['user']['tls_policy_warning'];?></p>
     </div>
   </div>
-  <?php // Rest EAS devices ?>
+  <?php
+  endif;
+  // Rest EAS devices
+  if ($_SESSION['acl']['eas_reset'] == 1):
+  ?>
   <div class="row">
     <div class="col-md-3 col-xs-5 text-right"><?=$lang['user']['eas_reset'];?>:</div>
     <div class="col-md-9 col-xs-7">
@@ -181,6 +193,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
     <p class="help-block"><?=$lang['user']['eas_reset_help'];?></p>
     </div>
   </div>
+  <?php
+  endif;
+  ?>
 </div>
 </div>
 
@@ -201,6 +216,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
         </div>
       </div>
 		</div>
+    <?php
+    if ($_SESSION['acl']['spam_alias'] == 1):
+    ?>
     <div class="mass-actions-user">
       <div class="btn-group">
         <div class="btn-group">
@@ -224,6 +242,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
         </div>
       </div>
     </div>
+    <?php
+    endif;
+    ?>
 	</div>
 
 	<div role="tabpanel" class="tab-pane" id="Spamfilter">
@@ -251,7 +272,10 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
 					<p><?=$lang['user']['spamfilter_hint'];?></p>
 				</div>
 			</div>
-			<div class="form-group">
+      <?php
+      if ($_SESSION['acl']['spam_score'] == 1):
+      ?>
+      <div class="form-group">
 				<div class="col-sm-offset-2 col-sm-10">
         <button type="button" class="btn btn-sm btn-success" id="edit_selected"
           data-item="<?= $username; ?>"
@@ -260,6 +284,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
           data-api-attr='{}'><?=$lang['user']['save_changes'];?></button>
 				</div>
 			</div>
+      <?php
+      endif;
+      ?>
 		</form>
 		<hr>
 		<div class="row">
@@ -269,6 +296,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
         <div class="table-responsive">
           <table class="table table-striped table-condensed" id="wl_policy_mailbox_table"></table>
         </div>
+        <?php
+        if ($_SESSION['acl']['spam_policy'] == 1):
+        ?>
         <div class="mass-actions-user">
           <div class="btn-group">
             <a class="btn btn-sm btn-default" id="toggle_multi_select_all" data-id="policy_wl_mailbox" href="#"><span class="glyphicon glyphicon-check" aria-hidden="true"></span> <?=$lang['mailbox']['toggle_all'];?></a>
@@ -284,6 +314,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
             </span>
           </div>
         </form>
+        <?php
+        endif;
+        ?>
       </div>
 			<div class="col-sm-6">
 				<h4><?=$lang['user']['spamfilter_bl'];?></h4>
@@ -291,6 +324,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
         <div class="table-responsive">
           <table class="table table-striped table-condensed" id="bl_policy_mailbox_table"></table>
         </div>
+        <?php
+        if ($_SESSION['acl']['spam_policy'] == 1):
+        ?>
         <div class="mass-actions-user">
           <div class="btn-group">
             <a class="btn btn-sm btn-default" id="toggle_multi_select_all" data-id="policy_bl_mailbox" href="#"><span class="glyphicon glyphicon-check" aria-hidden="true"></span> <?=$lang['mailbox']['toggle_all'];?></a>
@@ -308,6 +344,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
             </span>
           </div>
         </form>
+        <?php
+        endif;
+        ?>
       </div>
     </div>
   </div>
@@ -316,6 +355,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
 		<div class="table-responsive">
       <table class="table table-striped" id="sync_job_table"></table>
 		</div>
+    <?php
+    if ($_SESSION['acl']['syncjobs'] == 1):
+    ?>
     <div class="mass-actions-user">
       <div class="btn-group">
         <a class="btn btn-sm btn-default" id="toggle_multi_select_all" data-id="syncjob" href="#"><span class="glyphicon glyphicon-check" aria-hidden="true"></span> <?=$lang['mailbox']['toggle_all'];?></a>
@@ -329,6 +371,9 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
         <a class="btn btn-sm btn-success" href="#" data-toggle="modal" data-target="#addSyncJobModal"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['create_syncjob'];?></a>
       </div>
     </div>
+    <?php
+    endif;
+    ?>
 		</div>
 	</div>
 
@@ -343,6 +388,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/modals/user.php';
 <?php
 $lang_user = json_encode($lang['user']);
 echo "var lang = ". $lang_user . ";\n";
+echo "var acl = '". json_encode($_SESSION['acl']) . "';\n";
 echo "var csrf_token = '". $_SESSION['CSRF']['TOKEN'] . "';\n";
 echo "var mailcow_cc_username = '". $_SESSION['mailcow_cc_username'] . "';\n";
 echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";