diff --git a/edit-alias.php b/edit-alias.php index 6e5f4e67..75356ca8 100644 --- a/edit-alias.php +++ b/edit-alias.php @@ -38,53 +38,67 @@ if($CONF['alias_control_admin'] == 'NO' && !authentication_has_role('global-admi die("Check config.inc.php - domain administrators do not have the ability to edit user's aliases (alias_control_admin)"); } -if ($_SERVER['REQUEST_METHOD'] == "GET") +/* retrieve existing alias record for the user first... may be via GET or POST */ + +if(isset($_GET['address']) && isset($_GET['domain'])) { + $fAddress = escape_string($_GET['address']); + $fDomain = escape_string($_GET['domain']); +} +elseif(isset($_POST['address']) && isset($_POST['domain'])) { + $fAddress = escape_string($_POST['address']); + $fDomain = escape_string($_POST['domain']); +} +else { + die("Required parameters not present"); +} + +/* Check the user is able to edit the domain's aliases */ +if(!check_owner($SESSID_USERNAME, $fDomain) && !authentication_has_role('global-admin')) { - if (isset ($_GET['address'])) $fAddress = escape_string ($_GET['address']); - if (isset ($_GET['domain'])) $fDomain = escape_string ($_GET['domain']); + die("You lack permission to do this. yes."); +} - if (check_owner ($SESSID_USERNAME, $fDomain) || authentication_has_role('global-admin')) - { - $result = db_query ("SELECT * FROM $table_alias WHERE address='$fAddress' AND domain='$fDomain'"); +$table_alias = table_by_key('alias'); +$alias_list = array(); +$orig_alias_list = array(); +$result = db_query ("SELECT * FROM $table_alias WHERE address='$fAddress' AND domain='$fDomain'"); +if ($result['rows'] == 1) +{ + $row = db_array ($result['result']); + $tGoto = $row['goto']; + + $orig_alias_list = explode(',', $tGoto); + $alias_list = $orig_alias_list; + //. if we are not a global admin, and special_alias_control is NO, hide the alias that's the mailbox name. + if($CONF['special_alias_control'] == 'NO' && !authentication_has_role('global-admin')) { + /* Has a mailbox as well? Remove the address from $tGoto in order to edit just the real aliases */ + $result = db_query ("SELECT * FROM $table_mailbox WHERE username='$fAddress' AND domain='$fDomain'"); if ($result['rows'] == 1) { - $row = db_array ($result['result']); - $tGoto = $row['goto']; - - //. if we are not a global admin, and special_alias_control is NO, hide the alias that's the mailbox name. - if($CONF['special_alias_control'] == 'NO' && !authentication_has_role('global-admin')) { - /* Has a mailbox as well? Remove the address from $tGoto in order to edit just the real aliases */ - $result = db_query ("SELECT * FROM $table_mailbox WHERE username='$fAddress' AND domain='$fDomain'"); - if ($result['rows'] == 1) - { - $tGoto = preg_replace ('/\s*,*\s*' . $fAddress . '\s*,*\s*/', '', $tGoto); + $alias_list = array(); // empty it, repopulated again below + foreach($orig_alias_list as $alias) { + if(strtolower($alias) == strtolower($fAddress)) { + // mailbox address is dropped if they don't have special_alias_control enabled, and/or not a global-admin + } + else { + $alias_list[] = $alias; } } } } - else - { - $tMessage = $PALANG['pEdit_alias_address_error']; - } +} +else { + die("Invalid alias / domain combination"); } if ($_SERVER['REQUEST_METHOD'] == "POST") { $pEdit_alias_goto = $PALANG['pEdit_alias_goto']; - if (isset ($_GET['address'])) $fAddress = escape_string ($_GET['address']); - $fAddress = strtolower ($fAddress); - if (isset ($_GET['domain'])) $fDomain = escape_string ($_GET['domain']); if (isset ($_POST['fGoto'])) $fGoto = escape_string ($_POST['fGoto']); $fGoto = strtolower ($fGoto); - if (! (check_owner ($SESSID_USERNAME, $fDomain) || authentication_has_role('global-admin')) ) - { - $error = 1; - $tGoto = $_POST['fGoto']; - $tMessage = $PALANG['pEdit_alias_domain_error'] . "$fDomain"; - } - elseif (!check_alias_owner ($SESSID_USERNAME, $fAddress)) + if (!check_alias_owner ($SESSID_USERNAME, $fAddress)) { $error = 1; $tGoto = $fGoto; @@ -104,39 +118,37 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") $tMessage = $PALANG['pEdit_alias_goto_text_error1']; } + $new_aliases = array(); if ($error != 1) { - $array = preg_split ('/,/', $goto); - } - else - { - $array = array(); + $new_aliases = explode(',', $goto); } - for ($i = 0; $i < sizeof ($array); $i++) { - if (in_array ("$array[$i]", $CONF['default_aliases'])) continue; - if (empty ($array[$i])) continue; # TODO: should never happen - remove after 2.2 release - if (!check_email ($array[$i])) + foreach($new_aliases as $address) { + if (in_array($address, $CONF['default_aliases'])) continue; + if (empty($address)) continue; # TODO: should never happen - remove after 2.2 release + if (!check_email($address)) { $error = 1; $tGoto = $goto; - $tMessage = $PALANG['pEdit_alias_goto_text_error2'] . "$array[$i]"; + $tMessage = $PALANG['pEdit_alias_goto_text_error2'] . "$address"; } } $result = db_query ("SELECT * FROM $table_mailbox WHERE username='$fAddress' AND domain='$fDomain'"); - /* The alias has a real mailbox as well, prepend $goto with it */ if ($result['rows'] == 1) { - // ensure mailbox alias exists... if they're a domain admin, and they're not allowed to... if($CONF['alias_control_admin'] == 'NO' && !authentication_has_role('global-admin')) { - $array[] = $fAddress; + // if original record had a mailbox alias, so ensure the updated one does too. + if(in_array($orig_alias_list, $fAddress)) { + $new_aliases[] = $fAddress; + } } } // duplicates suck, mmkay.. - $array = array_unique($array); + $new_aliases = array_unique($new_aliases); - $goto = implode(',', $array); + $goto = implode(',', $new_aliases); if ($error != 1) {