[Web] r/o API keys, Pushover integration (can be limited by ACL), other minor changes

data/web/admin.php

@@ -81,8 +81,8 @@ if (!isset($_SESSION['gal']) && $license_cache = $redis->Get('LICENSE_STATUS_CAC
           </div>
         </div>
 
-        <legend data-target="#license" class="arrow-toggle" unselectable="on" data-toggle="collapse">
-          <span style="font-size:12px" class="arrow rotate glyphicon glyphicon-menu-down"></span> <?=$lang['admin']['guid_and_license'];?>
+        <legend style="cursor:pointer;" data-target="#license" class="arrow-toggle" unselectable="on" data-toggle="collapse">
+          <span style="font-size:12px" class="arrow rotate glyphicon glyphicon-menu-up"></span> <?=$lang['admin']['guid_and_license'];?>
         </legend>
         <div id="license" class="collapse in">
         <form class="form-horizontal" autocapitalize="none" autocorrect="off" role="form" method="post">
@@ -113,53 +113,112 @@ if (!isset($_SESSION['gal']) && $license_cache = $redis->Get('LICENSE_STATUS_CAC
         </form>
         </div>
 
-        <legend data-target="#api" class="arrow-toggle" unselectable="on" data-toggle="collapse">
-          <span style="font-size:12px" class="arrow rotate glyphicon glyphicon-menu-down"></span> API
+        <legend style="margin-top:20px">
+          <span style="font-size:12px" class="arrow rotate glyphicon glyphicon-wrench"></span> API
         </legend>
         <?php
-        $api = admin_api('get');
+        $api_ro = admin_api('ro', 'get');
+        $api_rw = admin_api('rw', 'get');
         ?>
-        <div id="api" class="collapse">
-        <form class="form-horizontal" autocapitalize="none" autocorrect="off" role="form" method="post">
-          <div class="form-group">
-            <label class="control-label col-sm-3" for="allow_from"><?=$lang['admin']['api_allow_from'];?>:</label>
-            <div class="col-sm-9">
-              <textarea class="form-control" rows="5" name="allow_from" id="allow_from" <?=($api['skip_ip_check'] == 1) ? 'disabled' : null;?> required><?=htmlspecialchars($api['allow_from']);?></textarea>
-            </div>
-          </div>
-          <div class="form-group">
-            <div class="col-sm-offset-3 col-sm-9">
-              <label>
-                <input type="checkbox" id="skip_ip_check" name="skip_ip_check" <?=($api['skip_ip_check'] == 1) ? 'checked' : null;?>> <?=$lang['admin']['api_skip_ip_check'];?>
-              </label>
+        <div class="panel-group" id="accordion">
+          <div class="panel panel-default">
+            <div class="panel-heading">
+              <h4 class="panel-title">
+                <a data-toggle="collapse" data-parent="#accordion" href="#api-ro">
+                ⇇ Read-Only Access</a>
+              </h4>
             </div>
-          </div>
-          <div class="form-group">
-            <label class="control-label col-sm-3" for="admin_api_key"><?=$lang['admin']['api_key'];?>:</label>
-            <div class="col-sm-9">
-              <div class="input-group">
-                <span class="input-group-addon">Read-Write</span>
-                <input type="text" class="form-control" placeholder="-" value="<?=htmlspecialchars($api['api_key']);?>" readonly>
+            <div id="api-ro" class="panel-collapse collapse">
+              <div class="panel-body">
+                <form class="form-horizontal" autocapitalize="none" autocorrect="off" role="form" method="post">
+                  <div class="form-group">
+                    <label class="control-label col-sm-3" for="allow_from_ro"><?=$lang['admin']['api_allow_from'];?>:</label>
+                    <div class="col-sm-9">
+                      <textarea class="form-control" rows="2" name="allow_from" id="allow_from_ro" <?=($api_ro['skip_ip_check'] == 1) ? 'disabled' : null;?> required><?=htmlspecialchars($api_ro['allow_from']);?></textarea>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <div class="col-sm-offset-3 col-sm-9">
+                      <label>
+                        <input type="checkbox" name="skip_ip_check" id="skip_ip_check_ro" <?=($api_ro['skip_ip_check'] == 1) ? 'checked' : null;?>> <?=$lang['admin']['api_skip_ip_check'];?>
+                      </label>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <label class="control-label col-sm-3"><?=$lang['admin']['api_key'];?>:</label>
+                    <div class="col-sm-9">
+                      <pre><?=(empty(htmlspecialchars($api_ro['api_key']))) ? '-' : htmlspecialchars($api_ro['api_key']);?></pre>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <div class="col-sm-offset-3 col-sm-9">
+                      <label>
+                        <input type="checkbox" name="active" <?=($api_ro['active'] == 1) ? 'checked' : null;?>> <?=$lang['admin']['activate_api'];?>
+                      </label>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <div class="col-sm-offset-3 col-sm-9">
+                      <p class="help-block"><?=$lang['admin']['api_info'];?></p>
+                      <div class="btn-group">
+                        <button class="btn btn-sm btn-default" name="admin_api[ro]" type="submit" href="#"><span class="glyphicon glyphicon-check"></span> <?=$lang['admin']['save'];?></button>
+                        <button class="btn btn-sm btn-primary" name="admin_api_regen_key[ro]" type="submit" href="#"><?=$lang['admin']['regen_api_key'];?></button>
+                      </div>
+                    </div>
+                  </div>
+                </form>
               </div>
             </div>
           </div>
-          <div class="form-group">
-            <div class="col-sm-offset-3 col-sm-9">
-              <label>
-                <input type="checkbox" name="active" <?=($api['active'] == 1) ? 'checked' : null;?>> <?=$lang['admin']['activate_api'];?>
-              </label>
+          <div class="panel panel-default">
+            <div class="panel-heading">
+              <h4 class="panel-title">
+                <a data-toggle="collapse" data-parent="#accordion" href="#api-rw">
+                ⇄ Read-Write Access</a>
+              </h4>
             </div>
-          </div>
-          <div class="form-group">
-            <div class="col-sm-offset-3 col-sm-9">
-              <p class="help-block"><?=$lang['admin']['api_info'];?></p>
-              <div class="btn-group">
-                <button class="btn btn-default" name="admin_api" type="submit" href="#"><span class="glyphicon glyphicon-check"></span> <?=$lang['admin']['save'];?></button>
-                <button class="btn btn-info" name="admin_api_regen_key" type="submit" href="#"><?=$lang['admin']['regen_api_key'];?></button>
+            <div id="api-rw" class="panel-collapse collapse">
+              <div class="panel-body">
+                <form class="form-horizontal" autocapitalize="none" autocorrect="off" role="form" method="post">
+                  <div class="form-group">
+                    <label class="control-label col-sm-3" for="allow_from_rw"><?=$lang['admin']['api_allow_from'];?>:</label>
+                    <div class="col-sm-9">
+                      <textarea class="form-control" rows="2" name="allow_from" id="allow_from_rw" <?=($api_rw['skip_ip_check'] == 1) ? 'disabled' : null;?> required><?=htmlspecialchars($api_rw['allow_from']);?></textarea>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <div class="col-sm-offset-3 col-sm-9">
+                      <label>
+                        <input type="checkbox" name="skip_ip_check" id="skip_ip_check_rw" <?=($api_rw['skip_ip_check'] == 1) ? 'checked' : null;?>> <?=$lang['admin']['api_skip_ip_check'];?>
+                      </label>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <label class="control-label col-sm-3" for="admin_api_key"><?=$lang['admin']['api_key'];?>:</label>
+                    <div class="col-sm-9">
+                      <pre><?=(empty(htmlspecialchars($api_rw['api_key']))) ? '-' : htmlspecialchars($api_rw['api_key']);?></pre>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <div class="col-sm-offset-3 col-sm-9">
+                      <label>
+                        <input type="checkbox" name="active" <?=($api_rw['active'] == 1) ? 'checked' : null;?>> <?=$lang['admin']['activate_api'];?>
+                      </label>
+                    </div>
+                  </div>
+                  <div class="form-group">
+                    <div class="col-sm-offset-3 col-sm-9">
+                      <p class="help-block"><?=$lang['admin']['api_info'];?></p>
+                      <div class="btn-group">
+                        <button class="btn btn-sm btn-default" name="admin_api[rw]" type="submit" href="#"><span class="glyphicon glyphicon-check"></span> <?=$lang['admin']['save'];?></button>
+                        <button class="btn btn-sm btn-primary" name="admin_api_regen_key[rw]" type="submit" href="#"><?=$lang['admin']['regen_api_key'];?></button>
+                      </div>
+                    </div>
+                  </div>
+                </form>
               </div>
             </div>
           </div>
-        </form>
         </div>
 
       </div>

data/web/inc/functions.inc.php

@@ -1143,7 +1143,7 @@ function verify_tfa_login($username, $token) {
 	}
   return false;
 }
-function admin_api($action, $data = null) {
+function admin_api($access, $action, $data = null) {
 	global $pdo;
 	global $lang;
 	if ($_SESSION['mailcow_cc_role'] != "admin") {
@@ -1154,90 +1154,178 @@ function admin_api($action, $data = null) {
 		);
 		return false;
 	}
-	switch ($action) {
-		case "edit":
-      $regen_key = $data['admin_api_regen_key'];
-      $active = (isset($data['active'])) ? 1 : 0;
-      $skip_ip_check = (isset($data['skip_ip_check'])) ? 1 : 0;
-      $allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $data['allow_from']));
-      foreach ($allow_from as $key => $val) {
-        if (empty($val)) {
-          continue;
-        }
-        if (!filter_var($val, FILTER_VALIDATE_IP)) {
-          $_SESSION['return'][] =  array(
-            'type' => 'warning',
-            'log' => array(__FUNCTION__, $data),
-            'msg' => array('ip_invalid', htmlspecialchars($allow_from[$key]))
-          );
-          unset($allow_from[$key]);
-          continue;
-        }
-      }
-      $allow_from = implode(',', array_unique(array_filter($allow_from)));
-      if (empty($allow_from) && $skip_ip_check == 0) {
-        $_SESSION['return'][] =  array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $data),
-          'msg' => 'ip_list_empty'
-        );
-        return false;
-      }
-      $api_key = implode('-', array(
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3)))
-      ));
-      $stmt = $pdo->query("SELECT `api_key` FROM `api`");
-      $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-      if (empty($num_results)) {
-        $stmt = $pdo->prepare("INSERT INTO `api` (`api_key`, `skip_ip_check`, `active`, `allow_from`)
-          VALUES (:api_key, :skip_ip_check, :active, :allow_from);");
-        $stmt->execute(array(
-          ':api_key' => $api_key,
-          ':skip_ip_check' => $skip_ip_check,
-          ':active' => $active,
-          ':allow_from' => $allow_from
-        ));
-      }
-      else {
-        if ($skip_ip_check == 0) {
-          $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, `active` = :active, `allow_from` = :allow_from ;");
+	switch ($access) {
+    case "rw":
+      switch ($action) {
+        case "edit":
+          $active = (isset($data['active'])) ? 1 : 0;
+          $skip_ip_check = (isset($data['skip_ip_check'])) ? 1 : 0;
+          $allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $data['allow_from']));
+          foreach ($allow_from as $key => $val) {
+            if (empty($val)) {
+              continue;
+            }
+            if (!filter_var($val, FILTER_VALIDATE_IP)) {
+              $_SESSION['return'][] =  array(
+                'type' => 'warning',
+                'log' => array(__FUNCTION__, $data),
+                'msg' => array('ip_invalid', htmlspecialchars($allow_from[$key]))
+              );
+              unset($allow_from[$key]);
+              continue;
+            }
+          }
+          $allow_from = implode(',', array_unique(array_filter($allow_from)));
+          if (empty($allow_from) && $skip_ip_check == 0) {
+            $_SESSION['return'][] =  array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $data),
+              'msg' => 'ip_list_empty'
+            );
+            return false;
+          }
+          $api_key = implode('-', array(
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3)))
+          ));
+          $stmt = $pdo->query("SELECT `api_key` FROM `api` WHERE `access` = 'rw'");
+          $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+          if (empty($num_results)) {
+            $stmt = $pdo->prepare("INSERT INTO `api` (`api_key`, `skip_ip_check`, `active`, `allow_from`, `access`)
+              VALUES (:api_key, :skip_ip_check, :active, :allow_from, 'rw');");
+            $stmt->execute(array(
+              ':api_key' => $api_key,
+              ':skip_ip_check' => $skip_ip_check,
+              ':active' => $active,
+              ':allow_from' => $allow_from
+            ));
+          }
+          else {
+            if ($skip_ip_check == 0) {
+              $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, `active` = :active, `allow_from` = :allow_from WHERE `access` = 'rw';");
+              $stmt->execute(array(
+                ':active' => $active,
+                ':skip_ip_check' => $skip_ip_check,
+                ':allow_from' => $allow_from
+              ));
+            }
+            else {
+              $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, `active` = :active WHERE `access` = 'rw';");
+              $stmt->execute(array(
+                ':active' => $active,
+                ':skip_ip_check' => $skip_ip_check
+              ));
+            }
+          }
+        break;
+        case "regen_key":
+          $api_key = implode('-', array(
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3)))
+          ));
+          $stmt = $pdo->prepare("UPDATE `api` SET `api_key` = :api_key WHERE `access` = 'rw'");
           $stmt->execute(array(
-            ':active' => $active,
-            ':skip_ip_check' => $skip_ip_check,
-            ':allow_from' => $allow_from
+            ':api_key' => $api_key
           ));
-        }
-        else {
-          $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, `active` = :active ;");
+        break;
+        case "get":
+          $stmt = $pdo->query("SELECT * FROM `api` WHERE `access` = 'rw'");
+          $apidata = $stmt->fetch(PDO::FETCH_ASSOC);
+          return $apidata;
+        break;
+      }
+    case "ro":
+      switch ($action) {
+        case "edit":
+          $active = (isset($data['active'])) ? 1 : 0;
+          $skip_ip_check = (isset($data['skip_ip_check'])) ? 1 : 0;
+          $allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $data['allow_from']));
+          foreach ($allow_from as $key => $val) {
+            if (empty($val)) {
+              continue;
+            }
+            if (!filter_var($val, FILTER_VALIDATE_IP)) {
+              $_SESSION['return'][] =  array(
+                'type' => 'warning',
+                'log' => array(__FUNCTION__, $data),
+                'msg' => array('ip_invalid', htmlspecialchars($allow_from[$key]))
+              );
+              unset($allow_from[$key]);
+              continue;
+            }
+          }
+          $allow_from = implode(',', array_unique(array_filter($allow_from)));
+          if (empty($allow_from) && $skip_ip_check == 0) {
+            $_SESSION['return'][] =  array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $data),
+              'msg' => 'ip_list_empty'
+            );
+            return false;
+          }
+          $api_key = implode('-', array(
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3)))
+          ));
+          $stmt = $pdo->query("SELECT `api_key` FROM `api` WHERE `access` = 'ro'");
+          $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+          if (empty($num_results)) {
+            $stmt = $pdo->prepare("INSERT INTO `api` (`api_key`, `skip_ip_check`, `active`, `allow_from`, `access`)
+              VALUES (:api_key, :skip_ip_check, :active, :allow_from, 'ro');");
+            $stmt->execute(array(
+              ':api_key' => $api_key,
+              ':skip_ip_check' => $skip_ip_check,
+              ':active' => $active,
+              ':allow_from' => $allow_from
+            ));
+          }
+          else {
+            if ($skip_ip_check == 0) {
+              $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, `active` = :active, `allow_from` = :allow_from WHERE `access` = 'ro';");
+              $stmt->execute(array(
+                ':active' => $active,
+                ':skip_ip_check' => $skip_ip_check,
+                ':allow_from' => $allow_from
+              ));
+            }
+            else {
+              $stmt = $pdo->prepare("UPDATE `api` SET `skip_ip_check` = :skip_ip_check, `active` = :active WHERE `access` = 'ro';");
+              $stmt->execute(array(
+                ':active' => $active,
+                ':skip_ip_check' => $skip_ip_check
+              ));
+            }
+          }
+        break;
+        case "regen_key":
+          $api_key = implode('-', array(
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3))),
+            strtoupper(bin2hex(random_bytes(3)))
+          ));
+          $stmt = $pdo->prepare("UPDATE `api` SET `api_key` = :api_key WHERE `access` = 'ro'");
           $stmt->execute(array(
-            ':active' => $active,
-            ':skip_ip_check' => $skip_ip_check
+            ':api_key' => $api_key
           ));
-        }
+        break;
+        case "get":
+          $stmt = $pdo->query("SELECT * FROM `api` WHERE `access` = 'ro'");
+          $apidata = $stmt->fetch(PDO::FETCH_ASSOC);
+          return $apidata;
+        break;
       }
     break;
-    case "regen_key":
-      $api_key = implode('-', array(
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3))),
-        strtoupper(bin2hex(random_bytes(3)))
-      ));
-      $stmt = $pdo->prepare("UPDATE `api` SET `api_key` = :api_key");
-      $stmt->execute(array(
-        ':api_key' => $api_key
-      ));
-    break;
-    case "get":
-      $stmt = $pdo->query("SELECT * FROM `api`");
-      $apidata = $stmt->fetch(PDO::FETCH_ASSOC);
-      return $apidata;
-    break;
   }
 	$_SESSION['return'][] =  array(
 		'type' => 'success',

data/web/inc/functions.mailbox.inc.php

@@ -3343,6 +3343,9 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $stmt = $pdo->prepare("SELECT `maxquota`, `quota` FROM  `domain` WHERE `domain` = :domain");
           $stmt->execute(array(':domain' => $row['domain']));
           $DomainQuota  = $stmt->fetch(PDO::FETCH_ASSOC);
+          $stmt = $pdo->prepare("SELECT IFNULL(COUNT(`active`), 0) AS `pushover_active` FROM `pushover` WHERE `username` = :username AND `active` = 1");
+          $stmt->execute(array(':username' => $_data));
+          $PushoverActive  = $stmt->fetch(PDO::FETCH_ASSOC);
           $stmt = $pdo->prepare("SELECT COALESCE(SUM(`quota`), 0) as `in_use` FROM `mailbox` WHERE `kind` NOT REGEXP 'location|thing|group' AND `domain` = :domain AND `username` != :username");
           $stmt->execute(array(':domain' => $row['domain'], ':username' => $_data));
           $MailboxUsage	= $stmt->fetch(PDO::FETCH_ASSOC);
@@ -3375,6 +3378,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $mailboxdata['percent_in_use'] = ($row['quota'] == 0) ? '- ' : round((intval($row['bytes']) / intval($row['quota'])) * 100);
           $mailboxdata['messages'] = $row['messages'];
           $mailboxdata['spam_aliases'] = $SpamaliasUsage['sa_count'];
+          $mailboxdata['pushover_active'] = ($PushoverActive['pushover_active'] == 1) ? $lang['mailbox']['yes'] : $lang['mailbox']['no'];
           if ($mailboxdata['percent_in_use'] === '- ') {
             $mailboxdata['percent_class'] = "info";
           }

data/web/inc/functions.pushover.inc.php

@@ -0,0 +1,175 @@
+<?php
+function pushover($_action, $_data = null) {
+	global $pdo;
+	global $lang;
+  switch ($_action) {
+    case 'edit':
+      if (!isset($_SESSION['acl']['pushover']) || $_SESSION['acl']['pushover'] != "1" ) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      if (!is_array($_data['username'])) {
+        $usernames = array();
+        $usernames[] = $_data['username'];
+      }
+      else {
+        $usernames = $_data['username'];
+      }
+      foreach ($usernames as $username) {
+        if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data),
+            'msg' => 'access_denied'
+          );
+          continue;
+        }
+        $delete = $_data['delete'];
+        if ($delete == "true") {
+          $stmt = $pdo->prepare("DELETE FROM `pushover` WHERE `username` = :username");
+          $stmt->execute(array(
+            ':username' => $username
+          ));
+          $_SESSION['return'][] = array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $_action, $_data, $_data),
+            'msg' => 'pushover_settings_edited'
+          );
+          continue;
+        }
+        $key = $_data['key'];
+        $token = $_data['token'];
+        if (!ctype_alnum($key) || strlen($key) != 30) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data, $_data),
+            'msg' => 'pushover_key'
+          );
+          continue;
+        }
+        if (!ctype_alnum($token) || strlen($token) != 30) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data, $_data),
+            'msg' => 'pushover_token'
+          );
+          continue;
+        }
+        $title = $_data['title'];
+        $text = $_data['text'];
+        $active = intval($_data['active']);
+        $stmt = $pdo->prepare("REPLACE INTO `pushover` (`username`, `key`, `token`, `title`, `text`, `active`)
+          VALUES (:username, :key, :token, :title, :text, :active)");
+        $stmt->execute(array(
+          ':username' => $username,
+          ':key' => $key,
+          ':token' => $token,
+          ':title' => $title,
+          ':text' => $text,
+          ':active' => $active
+        ));
+        $_SESSION['return'][] = array(
+          'type' => 'success',
+          'log' => array(__FUNCTION__, $_action, $_data, $_data),
+          'msg' => 'pushover_settings_edited'
+        );
+      }
+    break;
+    case 'get':
+      if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      $stmt = $pdo->prepare("SELECT * FROM `pushover` WHERE `username` = :username");
+      $stmt->execute(array(
+        ':username' => $_data
+      ));
+      $data = $stmt->fetch(PDO::FETCH_ASSOC);
+      if (empty($data)) {
+        return false;
+      }
+      else {
+        return $data;
+      }
+    break;
+    case 'test':
+      if (!isset($_SESSION['acl']['pushover']) || $_SESSION['acl']['pushover'] != "1" ) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+      if (!is_array($_data['username'])) {
+        $usernames = array();
+        $usernames[] = $_data['username'];
+      }
+      else {
+        $usernames = $_data['username'];
+      }
+      foreach ($usernames as $username) {
+        if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data),
+            'msg' => 'access_denied'
+          );
+          continue;
+        }
+        $stmt = $pdo->prepare("SELECT * FROM `pushover`
+          WHERE `username` = :username");
+        $stmt->execute(array(
+          ':username' => $username
+        ));
+        $api_data = $stmt->fetch(PDO::FETCH_ASSOC);
+        if (!empty($api_data)) {
+          $title = (!empty($api_data['title'])) ? $api_data['title'] : 'Mail';
+          $text = (!empty($api_data['text'])) ? $api_data['text'] : 'You\'ve got mail 📧';
+          curl_setopt_array($ch = curl_init(), array(
+            CURLOPT_URL => "https://api.pushover.net/1/users/validate.json",
+            CURLOPT_POSTFIELDS => array(
+              "token" => $api_data['token'],
+              "user" => $api_data['key']
+            ),
+            CURLOPT_SAFE_UPLOAD => true,
+            CURLOPT_RETURNTRANSFER => true,
+          ));
+          $result = curl_exec($ch);
+          $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+          curl_close($ch);
+          if ($httpcode == 200) {
+            $_SESSION['return'][] = array(
+              'type' => 'success',
+              'log' => array(__FUNCTION__, $_action, $_data),
+              'msg' => sprintf('Pushover API OK (%d): %s', $httpcode, $result)
+            );
+          }
+          else {
+            $_SESSION['return'][] = array(
+              'type' => 'danger',
+              'log' => array(__FUNCTION__, $_action, $_data),
+              'msg' => sprintf('Pushover API ERR (%d): %s', $httpcode, $result)
+            );
+          }
+        }
+        else {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data),
+            'msg' => 'pushover_credentials_missing'
+          );
+          return false;
+        }
+      }
+    break;
+  }
+}

data/web/inc/init_db.inc.php

@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "03042020_0915";
+    $db_version = "09042020_1403";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -374,6 +374,7 @@ function init_db_schema() {
           "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "sogo_profile_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "pushover" => "TINYINT(1) NOT NULL DEFAULT '0'",
           // quarantine is for quarantine actions, todo: rename
           "quarantine" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "quarantine_attachments" => "TINYINT(1) NOT NULL DEFAULT '1'",
@@ -534,6 +535,7 @@ function init_db_schema() {
           "sogo_access" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "app_passwds" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "bcc_maps" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "pushover" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "filters" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "ratelimit" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "spam_policy" => "TINYINT(1) NOT NULL DEFAULT '1'",
@@ -830,6 +832,22 @@ function init_db_schema() {
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "pushover" => array(
+        "cols" => array(
+          "username" => "VARCHAR(255) NOT NULL",
+          "key" => "VARCHAR(255) NOT NULL",
+          "token" => "VARCHAR(255) NOT NULL",
+          "title" => "TEXT",
+          "text" => "TEXT",
+          "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("username")
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
       "sogo_user_profile" => array(
         "cols" => array(
           "c_uid" => "VARCHAR(255) NOT NULL",

data/web/inc/prerequisites.inc.php

@@ -230,6 +230,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.dkim.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.fwdhost.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.mailq.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.oauth2.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.pushover.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.ratelimit.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.transports.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.rspamd.inc.php';

data/web/inc/sessions.inc.php

@@ -57,6 +57,12 @@ if (!empty($_SERVER['HTTP_X_API_KEY'])) {
       $_SESSION['mailcow_cc_username'] = 'API';
       $_SESSION['mailcow_cc_role'] = 'admin';
       $_SESSION['mailcow_cc_api'] = true;
+      if ($api_return['api_key'] == 'rw') {
+        $_SESSION['mailcow_cc_api_access'] = 'rw';
+      }
+      else {
+        $_SESSION['mailcow_cc_api_access'] = 'ro';
+      }
     }
     else {
       $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);

data/web/inc/triggers.inc.php

@@ -100,17 +100,26 @@ if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admi
 	if (isset($_POST["reset_main_logo"])) {
     customize('delete', 'main_logo');
 	}
-  // API and license cannot be controlled by API
+  // Some actions will not be available via API
 	if (isset($_POST["license_validate_now"])) {
 		license('verify');
 	}
   if (isset($_POST["admin_api"])) {
-		admin_api('edit', $_POST);
+    if (isset($_POST["admin_api"]["ro"])) {
+      admin_api('ro', 'edit', $_POST);
+    }
+    elseif (isset($_POST["admin_api"]["rw"])) {
+      admin_api('rw', 'edit', $_POST);
+    }
 	}
-	if (isset($_POST["admin_api_regen_key"])) {
-		admin_api('regen_key', $_POST);
+  if (isset($_POST["admin_api_regen_key"])) {
+    if (isset($_POST["admin_api_regen_key"]["ro"])) {
+      admin_api('ro', 'regen_key', $_POST);
+    }
+    elseif (isset($_POST["admin_api_regen_key"]["rw"])) {
+      admin_api('rw', 'regen_key', $_POST);
+    }
 	}
-  // Not available via API
 	if (isset($_POST["rspamd_ui"])) {
 		rspamd_ui('edit', $_POST);
 	}

data/web/js/site/admin.js

@@ -45,6 +45,24 @@ jQuery(function($){
       mailcow_alert_box('Regex OK', 'success');
       $('button[data-id="' + regex_map_id + '"]').attr({"disabled": false});
     }
+  });
+  $('.btn-api-ro').click(function() {
+    $('#api_rw').hide()
+    $('#api_ro').show()
+    $(this).addClass('active')
+    $('.btn-api-rw, .btn-api-hide').removeClass('active')
+  });
+  $('.btn-api-rw').click(function() {
+    $('#api_ro').hide()
+    $('#api_rw').show()
+    $(this).addClass('active')
+    $('.btn-api-ro, .btn-api-hide').removeClass('active')
+  });
+  $('.btn-api-hide').click(function() {
+    $('#api_ro').hide()
+    $('#api_rw').hide()
+    $(this).addClass('active')
+    $('.btn-api-ro, .btn-api-rw').removeClass('active')
   });
 	$('.textarea-code').on('keyup', function() {
     $('.submit_rspamd_regex').attr({"disabled": true});
@@ -360,13 +378,22 @@ jQuery(function($){
   draw_transport_maps();
   draw_queue();
   // API IP check toggle
-  $("#skip_ip_check").click(function( event ) {
-   $("#skip_ip_check").not(this).prop('checked', false);
-    if ($("#skip_ip_check:checked").length > 0) {
-      $('#allow_from').prop('disabled', true);
+  $("#skip_ip_check_ro").click(function( event ) {
+   $("#skip_ip_check_ro").not(this).prop('checked', false);
+    if ($("#skip_ip_check_ro:checked").length > 0) {
+      $('#allow_from_ro').prop('disabled', true);
+    }
+    else {
+      $("#allow_from_ro").removeAttr('disabled');
+    }
+  });
+  $("#skip_ip_check_rw").click(function( event ) {
+   $("#skip_ip_check_rw").not(this).prop('checked', false);
+    if ($("#skip_ip_check_rw:checked").length > 0) {
+      $('#allow_from_rw').prop('disabled', true);
     }
     else {
-      $("#allow_from").removeAttr('disabled');
+      $("#allow_from_rw").removeAttr('disabled');
     }
   });
   // Relayhost

data/web/lang/lang.de.json

@@ -24,6 +24,9 @@
         "apps": "Apps"
     },
     "danger": {
+        "pushover_token": "Pushover Token hat das falsche Format",
+        "pushover_key": "Pushover Key hat das falsche Format",
+        "pushover_credentials_missing": "Pushover Token und/oder Key fehlen",
         "invalid_filter_type": "Ungültiger Filtertyp",
         "file_open_error": "Datei kann nicht zum Schreiben geöffnet werden",
         "transport_dest_exists": "Transport Maps Ziel \"%s\" existiert bereits",
@@ -135,6 +138,7 @@
         "extra_acl_invalid_domain": "Externe Absenderadresse \"%s\" verwendet eine ungültige Domain"
     },
     "success": {
+        "pushover_settings_edited": "Pushover Konfiguration gespeichert, bitte den Zugang im Anschluss verifizieren.",
         "global_filter_written": "Filterdatei wurde erfolreich geschrieben",
         "learned_ham": "ID %s wurde erfolreich als Ham gelernt",
         "verified_totp_login": "TOTP Anmeldung verifiziert",
@@ -224,8 +228,17 @@
         "quota_exceeded_scope": "Domain-Quota erschöpft: Es können nur noch unlimiterte Mailboxen in dieser Domain erstellt werden."
     },
     "user": {
+        "pushover_info": "Push-Benachrichtungen werden angewendet auf alle nicht-Spam Nachrichten zugestellt an <b>%s</b>, einschließlich Alias-Adressen (shared, non-shared, tagged).",
+        "verify": "Verifizieren",
+        "pushover_verify": "Verbindung verifizieren",
+        "title": "Title",
+        "pushover_title": "Notification Titel",
+        "text": "Text",
+        "pushover_text": "Notification Text ({SUBJECT} entspricht dem Mail-Betreff)",
+        "last_mail_login": "Letzter Mail-Login",
         "last_mail_login": "Letzter Mail-Login",
         "no_last_login": "Keine letzte UI Anmeldung gespeichert",
+        "save": "Änderungen speichern",
         "generate": "generieren",
         "apple_connection_profile": "Apple Verbindungsprofil",
         "apple_connection_profile_mailonly": "Dieses Verbindungsprofil beinhaltet IMAP und SMTP Konfigurationen für ein Apple Gerät.",
@@ -334,6 +347,13 @@
         "spam_score_reset": "Auf Server-Standard zurücksetzen"
     },
     "admin": {
+        "pushover_info": "Push-Benachrichtungen werden angewendet auf alle nicht-Spam Nachrichten zugestellt an <b>%s</b>, einschließlich Alias-Adressen (shared, non-shared, tagged).",
+        "verify": "Verifizieren",
+        "pushover_verify": "Verbindung verifizieren",
+        "title": "Title",
+        "pushover_title": "Notification Titel",
+        "text": "Text",
+        "pushover_text": "Notification Text ({SUBJECT} entspricht dem Mail-Betreff)",
         "spamfilter": "Spamfilter",
         "domain_s": "Domain(s)",
         "rspamd-com_settings": "Ein Name wird automatisch generiert. Beispielinhalte zur Einsicht stehen nachstehend bereit. Siehe auch <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Rspamd docs</a>",
@@ -858,6 +878,7 @@
         "relayhost_wrapped_tls_info": "Bitte <b>keine</b> TLS-wrapped Ports verwenden (etwa SMTPS via Port 465/tcp).<br>\r\nDer Transport wird stattdessen STARTTLS anfordern, um TLS zu verwenden. TLS kann unter \"TLS Policy Maps\" erzwungen werden."
     },
     "acl": {
+        "pushover": "Pushover",
         "spam_alias": "Temporäre E-Mail Aliasse",
         "tls_policy": "Verschlüsselungsrichtlinie",
         "spam_score": "Spam-Bewertung",

data/web/lang/lang.en.json

@@ -30,6 +30,9 @@
         "unlimited_quota_acl": "Unlimited quota prohibited by ACL",
         "mysql_error": "MySQL error: %s",
         "redis_error": "Redis error: %s",
+        "pushover_token": "Pushover token has a wrong format",
+        "pushover_key": "Pushover key has a wrong format",
+        "pushover_credentials_missing": "Pushover token and or key missing",
         "unknown_tfa_method": "Unknown TFA method",
         "totp_verification_failed": "TOTP verification failed",
         "u2f_verification_failed": "U2F verification failed: %s",
@@ -135,6 +138,7 @@
         "extra_acl_invalid_domain": "External sender \"%s\" uses an invalid domain"
     },
     "success": {
+        "pushover_settings_edited": "Pushover settings successfully set, please verify credentials.",
         "global_filter_written": "Filter was successfully written to file",
         "learned_ham": "Successfully learned ID % as ham",
         "verified_totp_login": "Verified TOTP login",
@@ -221,11 +225,19 @@
         "hash_not_found": "Hash not found or already deleted",
         "fuzzy_learn_error": "Fuzzy hash learn error: %s",
         "ip_invalid": "Skipped invalid IP: %s",
-        "quota_exceeded_scope": "Domain quota exceeded: Only unlimited/unrated mailboxes can be created in this domain scope."
+        "quota_exceeded_scope": "Domain quota exceeded: Only unlimited mailboxes can be created in this domain scope."
     },
     "user": {
+        "pushover_info": "Push notification settings will apply to all clean (non-spam) mail delivered to <b>%s</b> including aliases (shared, non-shared, tagged).",
+        "verify": "Verify",
+        "pushover_verify": "Verify credentials",
+        "title": "Title",
+        "pushover_title": "Notification title",
+        "text": "Text",
+        "pushover_text": "Notification text ({SUBJECT} will be replaced by mail subject)",
         "no_last_login": "No last UI login information",
         "last_mail_login": "Last mail login",
+        "save": "Save changes",
         "apple_connection_profile": "Apple connection profile",
         "apple_connection_profile_mailonly": "This connection profile includes IMAP and SMTP configuration parameters for an Apple device.",
         "apple_connection_profile_complete": "This connection profile includes IMAP and SMTP parameters as well as CalDAV (calendars) and CardDAV (contacts) pathes for an Apple device.",
@@ -334,6 +346,13 @@
         "spam_score_reset": "Reset to server default"
     },
     "admin": {
+        "pushover_info": "Push notification settings will apply to all clean (non-spam) mail delivered to <b>%s</b> including aliases (shared, non-shared, tagged).",
+        "verify": "Verify",
+        "pushover_verify": "Verify credentials",
+        "title": "Title",
+        "pushover_title": "Notification title",
+        "text": "Text",
+        "pushover_text": "Notification text ({SUBJECT} will be replaced by mail subject)",
         "spamfilter": "Spam filter",
         "domain": "Domain",
         "domain_s": "Domain/s",
@@ -857,6 +876,7 @@
         "relayhost_wrapped_tls_info": "Please do <b>not</b> use TLS-wrapped ports (mostly used on port 465).<br>\r\nUse any non-wrapped port and issue STARTTLS. A TLS policy to enforce TLS can be created in \"TLS policy maps\"."
     },
     "acl": {
+        "pushover": "Pushover",
         "spam_alias": "Temporary aliases",
         "tls_policy": "TLS policy",
         "spam_score": "Spam score",