[Web] Various fixes for app passwd functions

data/web/inc/functions.app_passwd.inc.php

@@ -59,25 +59,15 @@ function app_passwd($_action, $_data = null) {
         );
         return false;
       }
-      try {
-        $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`)
-          VALUES (:app_name, :mailbox, :domain, :password, :active)");
-        $stmt->execute(array(
-          ':app_name' => $app_name,
-          ':mailbox' => $username,
-          ':domain' => $domain,
-          ':password' => $password_hashed,
-          ':active' => $active
-        ));
-      }
-      catch (PDOException $e) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $_action, $_data_log),
-          'msg' => array('mysql_error', $e)
-        );
-        return false;
-      }
+      $stmt = $pdo->prepare("INSERT INTO `app_passwd` (`name`, `mailbox`, `domain`, `password`, `active`)
+        VALUES (:app_name, :mailbox, :domain, :password, :active)");
+      $stmt->execute(array(
+        ':app_name' => $app_name,
+        ':mailbox' => $username,
+        ':domain' => $domain,
+        ':password' => $password_hashed,
+        ':active' => $active
+      ));
       $_SESSION['return'][] = array(
         'type' => 'success',
         'log' => array(__FUNCTION__, $_action, $_data_log),
@@ -130,27 +120,17 @@ function app_passwd($_action, $_data = null) {
             ':id' => $id
           ));
         }
-        try {
-          $stmt = $pdo->prepare("UPDATE `app_passwd` SET
-            `name` = :app_name,
-            `mailbox` = :username,
-            `active` = :active
-              WHERE `id` = :id");
-          $stmt->execute(array(
-            ':app_name' => $app_name,
-            ':username' => $username,
-            ':active' => $active,
-            ':id' => $id
-          ));
-        }
-        catch (PDOException $e) {
-          $_SESSION['return'][] = array(
-            'type' => 'danger',
-            'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('mysql_error', $e)
-          );
-          continue;
-        }
+        $stmt = $pdo->prepare("UPDATE `app_passwd` SET
+          `name` = :app_name,
+          `mailbox` = :username,
+          `active` = :active
+            WHERE `id` = :id");
+        $stmt->execute(array(
+          ':app_name' => $app_name,
+          ':username' => $username,
+          ':active' => $active,
+          ':id' => $id
+        ));
         $_SESSION['return'][] = array(
           'type' => 'success',
           'log' => array(__FUNCTION__, $_action, $_data_log),
@@ -161,18 +141,27 @@ function app_passwd($_action, $_data = null) {
     case 'delete':
       $ids = (array)$_data['id'];
       foreach ($ids as $id) {
-        try {
-          $stmt = $pdo->prepare("DELETE FROM `app_passwd` WHERE `id`= :id AND `mailbox`= :username");
-          $stmt->execute(array(':id' => $id, ':username' => $username));
+        $stmt = $pdo->prepare("SELECT `mailbox` FROM `app_passwd` WHERE `id` = :id");
+        $stmt->execute(array(':id' => $id));
+        $mailbox = $stmt->fetch(PDO::FETCH_ASSOC)['mailbox'];
+        if (empty($mailbox)) {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, $_data_log),
+            'msg' => 'app_passwd_id_invalid'
+          );
+          return false;
         }
-        catch (PDOException $e) {
+        if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $mailbox)) {
           $_SESSION['return'][] = array(
             'type' => 'danger',
             'log' => array(__FUNCTION__, $_action, $_data_log),
-            'msg' => array('mysql_error', $e)
+            'msg' => 'access_denied'
           );
           return false;
         }
+        $stmt = $pdo->prepare("DELETE FROM `app_passwd` WHERE `id`= :id");
+        $stmt->execute(array(':id' => $id));
         $_SESSION['return'][] = array(
           'type' => 'success',
           'log' => array(__FUNCTION__, $_action, $_data_log),
@@ -198,10 +187,16 @@ function app_passwd($_action, $_data = null) {
         `active` AS `active_int`,
         CASE `active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `active`
           FROM `app_passwd`
-            WHERE `id` = :id
-              AND `mailbox` = :username");
-      $stmt->execute(array(':id' => $_data['id'], ':username' => $username));
+            WHERE `id` = :id");
+      $stmt->execute(array(':id' => $_data['id']));
       $app_passwd_data = $stmt->fetch(PDO::FETCH_ASSOC);
+      if (empty($app_passwd_data)) {
+        return false;
+      }
+      if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $app_passwd_data['mailbox'])) {
+        $app_passwd_data = array();
+        return false;
+      }
       return $app_passwd_data;
     break;
   }

data/web/json_api.php

@@ -296,12 +296,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
                 }
                 if (!empty($app_passwds)) {
                   foreach ($app_passwds as $app_passwd) {
-                    if (empty($extra)) {
-                      $details = app_passwd('details', array('id' => $app_passwd['id']));
-                    }
-                    else {
-                      $details = app_passwd('details', array('id' => $app_passwd['id'], 'username' => $extra));
-                    }
+                    $details = app_passwd('details', array('id' => $app_passwd['id']));
                     if ($details !== false) {
                       $data[] = $details;
                     }
@@ -317,7 +312,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               break;
 
               default:
-                $data = app_passwd('details', array('id' => $object));
+                $data = app_passwd('details', array('id' => $object['id']));
                 process_get_return($data);
               break;
             }