From 410de7229df2d65de735e4986e9146052f4bd2de Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Sat, 12 Nov 2011 20:44:35 +0000
Subject: [PATCH] functions.inc.php - list_domains_for_admin(): - rewrite to
 work for superadmins also (will list all domains now   instead of "ALL"),
 which means we can drop the admin vs. superadmin   check at various places -
 escape_string $username

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1265 a1433add-5e2c-0410-b055-b7f2511e0802
---
 functions.inc.php | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/functions.inc.php b/functions.inc.php
index 3b0dea75..d8a3280d 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -773,17 +773,24 @@ function check_alias_owner ($username, $alias) {
 function list_domains_for_admin ($username) {
     global $CONF;
     global $table_domain, $table_domain_admins;
-    $list = array ();
-    // does $username need escaping here?
-    $active_sql = db_get_boolean(True);
-    $backupmx_sql = db_get_boolean(False);
-    $query = "SELECT $table_domain.domain, $table_domain_admins.username FROM $table_domain 
-        LEFT JOIN $table_domain_admins ON $table_domain.domain=$table_domain_admins.domain 
-        WHERE $table_domain_admins.username='$username' 
-        AND $table_domain.active='$active_sql'
-        AND $table_domain.backupmx='$backupmx_sql'
-        ORDER BY $table_domain_admins.domain";
 
+    $E_username = escape_string($username);
+
+    $query = "SELECT $table_domain.domain FROM $table_domain ";
+    $condition[] = "$table_domain.domain != 'ALL'";
+
+    $result = db_query ("SELECT username FROM $table_domain_admins WHERE username='$E_username' AND domain='ALL'");
+    if ($result['rows'] < 1) { # not a superadmin
+        $query .= " LEFT JOIN $table_domain_admins ON $table_domain.domain=$table_domain_admins.domain ";
+        $condition[] = "$table_domain_admins.username='$E_username' ";
+        $condition[] = "$table_domain.active='"   . db_get_boolean(true)  . "'"; # TODO: does it really make sense to exclude inactive...
+        $condition[] = "$table_domain.backupmx='" . db_get_boolean(False) . "'"; # TODO: ... and backupmx domains for non-superadmins?
+    }
+
+    $query .= " WHERE " . join(' AND ', $condition);
+    $query .= " ORDER BY $table_domain.domain";
+
+    $list = array ();
     $result = db_query ($query);
     if ($result['rows'] > 0) {
         $i = 0;