edit-vacation.php: fix handling of empty goto field; fix handling of vacation editing if done by "someone else"

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@115 a1433add-5e2c-0410-b055-b7f2511e0802

edit-vacation.php

@@ -37,22 +37,28 @@
 
 require_once('common.php');
 
-$SESSID_USERNAME = authentication_get_username();
-
 if($CONF['vacation'] == 'NO') { 
    header("Location: " . $CONF['postfix_admin_url'] . "/main.php");
    exit(0);
 }
 
-$vacation_domain = $CONF['vacation_domain'];
+$SESSID_USERNAME = authentication_get_username();
-$vacation_goto = preg_replace('/@/', '#', $SESSID_USERNAME);
-$vacation_goto = $vacation_goto . '@' . $vacation_domain;
-
 $tmp = preg_split ('/@/', $SESSID_USERNAME);
 $USERID_DOMAIN = $tmp[1];
 
+// only allow admins to change someone else's 'stuff'
+if(authentication_has_role('admin')) {
    if (isset($_GET['username'])) $fUsername = escape_string ($_GET['username']);
    if (isset($_GET['domain'])) $fDomain = escape_string ($_GET['domain']);
+}
+else {
+   $fUsername = $SESSID_USERNAME;
+   $fDomain = $USERID_DOMAIN;
+}
+
+$vacation_domain = $CONF['vacation_domain'];
+$vacation_goto = preg_replace('/@/', '#', $fUsername);
+$vacation_goto = $vacation_goto . '@' . $vacation_domain;
 
 $fCanceltarget = $CONF['postfix_admin_url'] . '/main.php';
 
@@ -69,6 +75,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
    }
 
    $tUseremail = $fUsername;
+   $tDomain = $fDomain;
    if ($tSubject == '') { $tSubject = $PALANG['pUsersVacation_subject_text']; }
    if ($tBody == '') { $tBody = $PALANG['pUsersVacation_body_text']; }
 
@@ -82,13 +89,13 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
    if (isset ($_POST['fChange'])) $fChange = escape_string ($_POST['fChange']);
    if (isset ($_POST['fBack'])) $fBack = escape_string ($_POST['fBack']);
 
-   if (isset ($_GET['domain'])) {
+   if(authentication_has_role('admin') && isset($_GET['domain'])) {
       $fDomain = escape_string ($_GET['domain']);
    }
    else {
       $fDomain = $USERID_DOMAIN;
    }
-   if (isset ($_GET['username'])) {
+   if(authentication_has_role('admin') && isset ($_GET['username'])) {
       $fUsername = escape_string($_GET['username']);
    }
    else {
@@ -117,12 +124,17 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
          {
             $row = db_array ($result['result']);
             $goto = $row['goto'];
-
             //only one of these will do something, first handles address at beginning and middle, second at end
             $goto= preg_replace ( "/$vacation_goto,/", '', $goto);
             $goto= preg_replace ( "/,$vacation_goto/", '', $goto);
-
+            $goto= preg_replace ( "/$vacation_goto/", '', $goto);
-            $result = db_query ("UPDATE $table_alias SET goto='$goto',modified=NOW() WHERE address='$fUsername'");
+            if($goto == '') {
+               $sql = "DELETE FROM $table_alias WHERE address = '$fUsername'";
+            }
+            else {
+               $sql = "UPDATE $table_alias SET goto='$goto',modified=NOW() WHERE address='$fUsername'";
+            }
+            $result = db_query($sql);
             if ($result['rows'] != 1)
             {
                $error = 1;
@@ -142,18 +154,22 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
          $row = db_array ($result['result']);
          $goto = $row['goto'];
       }
-
+      $Active = db_get_boolean(True);
-      ($CONF['database_type']=='pgsql') ? $Active='true' : $Active=1;
       $result = db_query ("INSERT INTO $table_vacation (email,subject,body,domain,created,active) VALUES ('$fUsername','$fSubject','$fBody','$fDomain',NOW(),$Active)");
 
       if ($result['rows'] != 1)
       {
          $error = 1;
       }
-
+      if($goto == '') {
+         $goto = $vacation_goto;
+         $sql = "INSERT INTO $table_alias (goto, address, domain, modified) VALUES ('$goto', '$fUsername', '$fDomain', NOW())";
+      }
+      else {
          $goto = $goto . "," . $vacation_goto;
-
+         $sql = "UPDATE $table_alias SET goto='$goto',modified=NOW() WHERE address='$fUsername'";
-      $result = db_query ("UPDATE $table_alias SET goto='$goto',modified=NOW() WHERE address='$fUsername'");
+      }
+      $result = db_query ($sql);
       if ($result['rows'] != 1)
       {
          $error = 1;
@@ -173,7 +189,6 @@ else {
    $tMessage = $PALANG['pVacation_result_error'];
 }
 
-$tUseremail = $SESSID_USERNAME;
 include ("$incpath/templates/header.tpl");
 if (authentication_has_role('global-admin')) {
    include ("$incpath/templates/admin_menu.tpl");