SF.net SVN: postfixadmin:[779] trunk/list-virtual.php

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 779
          http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=779&view=rev
Author:   christian_boltz
Date:     2009-11-30 14:06:51 +0000 (Mon, 30 Nov 2009)

Log Message:
-----------
list-virtual.php
- add in_array check to avoid that superadmins can enter invalid domains
- the check_owner check is probably obsolete after this change. I left it
  in (with a clear message) until I'm 100% sure that it's really unneeded.
- move sticky domain code below error checking - the session should only
  include valid domains ;-)

Modified Paths:
--------------
    trunk/list-virtual.php

Modified: trunk/list-virtual.php
===================================================================

--- trunk/list-virtual.php	2009-11-30 12:48:25 UTC (rev 778)
+++ trunk/list-virtual.php	2009-11-30 14:06:51 UTC (rev 779)
@@ -62,12 +62,6 @@
    $search = escape_string(safepost('search'));
 }
 
-// store fDomain in $_SESSION so after adding/editing aliases/mailboxes we can
-// take the user back to the appropriate domain listing. (see templates/menu.php)
-if($fDomain) {
-    $_SESSION['list_virtual_sticky_domain'] = $fDomain;
-}
-
 if (count($list_domains) == 0) {
 #   die("no domains");
    flash_error( $PALANG['invalid_parameter'] );
@@ -77,13 +71,24 @@
 
 if ((is_array ($list_domains) and sizeof ($list_domains) > 0)) if (empty ($fDomain)) $fDomain = $list_domains[0];
 
-if (!check_owner(authentication_get_username(), $fDomain)) {
-#   die($PALANG['invalid_parameter']);
+if(!in_array($fDomain, $list_domains)) {
    flash_error( $PALANG['invalid_parameter'] );
+   header("Location: list-domain.php"); # invalid domain, or not owned by this admin
+   exit;
+}
+
+if (!check_owner(authentication_get_username(), $fDomain)) { 
+   flash_error( $PALANG['invalid_parameter'] . " If you see this message, please open a bugreport"); # this check is most probably obsoleted by the in_array() check above
    header("Location: list-domain.php"); # domain not owned by this admin
    exit(0);
 }
 
+// store fDomain in $_SESSION so after adding/editing aliases/mailboxes we can
+// take the user back to the appropriate domain listing. (see templates/menu.php)
+if($fDomain) {
+    $_SESSION['list_virtual_sticky_domain'] = $fDomain;
+}
+
 #
 # alias domain
 #


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


