The improvements are:
- Die with an explicit message when a user is trying to reset his lost password and the option is disabled in config
- Redirect user to main page after password change using relative URL
- Don't leak info whether user exists or has recovery info defined
- Throttle password reset requests to prevent brute force attacks
- Show phone/alt email fields in mailbox/admin edit form only when the password reset option is enabled
- Make database upgrade code compatible with other databases types
- Use the existing password generator to generate OTP. It is now stored in database, unique to each user, valid only for 1 hour and can only by used once.
This replaces the hardcoded "LIMIT 10" with "LIMIT <page_size>".
Patch by Dan <dannyro @SF>, https://sourceforge.net/p/postfixadmin/patches/133/
Additional change on top of Dan's patch:
- wrap $CONF['page_size'] in intval() to avoid that a broken config
setting can break or exploit the query
* Make it possible by config option that non global admins can send
broadcast messages to their domains.
* Allow the sender to select the domains the broadcast message should be
delivered to
* Allow the sender to decide if the broadcast message should just be
delivered to mailboxes
- add $msg['confirm'] (confirmation message when attemping to delete an
item, displayed by list.php)
*.lang:
- add various confirm_delete_* texts needed by *Handler
- rename confirm_domain to confirm_delete_domain
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1749 a1433add-5e2c-0410-b055-b7f2511e0802
- initStruct:
- set column write permissions depending on superadmin status
- add _can_edit and _can_delete (also depending on superadmin status)
- webformConfig(): reduce required permissions to 'admin'
- add beforestore() - aborts writing for non-superadmins
- delete: allow deletion only for superadmins
*.lang:
- new text 'no_delete_permissions'
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1718 a1433add-5e2c-0410-b055-b7f2511e0802
- check that $tActiveUntil >= today and $tActiveUntil >= $tActiveFrom
- update header comments
- display "vacation is active" notice also to admins
(based on a patch by J.Kruis @SF,
https://sourceforge.net/p/postfixadmin/patches/122/ )
*.lang:
- add
- pVacation_until_before_today
- pVacation_until_before_from
- reply_once_per_day
- change pUsersVacation_welcome_text to 'Auto response for %s is active!'
- remove "obsolete" marker from pUsersVacation_activefrom and
pUsersVacation_activeuntil, they are still used
nl.lang:
- translation update by J.Kruis @SF
https://sourceforge.net/p/postfixadmin/patches/122/
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1697 a1433add-5e2c-0410-b055-b7f2511e0802
- add note that $CONF[vacation_domain] can't be used for "normal" mails
model/DomainHandler.php:
- validate_new_id():
- error out when trying to add $CONF[vacation_domain]
- some whitespace fixes
- remove superfluous comment on initStruct()
*.lang:
- add 'domain_conflict_vacation_domain' error message
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1694 a1433add-5e2c-0410-b055-b7f2511e0802
restrict reply type to a list of options ($CONF[vacation_choice_of_reply]),
remove input field for custom interval
config.inc.php:
- change $CONF['vacation_choice_of_reply'] to [seconds] => [$PALANG label]
(note: reply to every mail is commented by default because it can be
annoying. Admins will have to explicitely add/enable it in their config.)
- remove $CONF[vacation_replytype_default]
- update comment about dovecot:* for $CONF[encrypt]
*.lang:
- add texts for reply types
VacationHandler.php:
- remove reply_type at various places
- set_away(): remove reply_type from list of function parameters
templates/vacation.tpl:
- update reply type dropdown for the changed $CONF['vacation_choice_of_reply']
- remove the input fields for custom reply delay
vacation.php:
- restrict reply type to a list of options ($CONF[vacation_choice_of_reply])
- if vacation is disabled, but old values are stored in the database,
change the activeFrom and activeUntil date to today to avoid users
have to scroll through the calendar a lot
xmlrpc.php:
- update set_away() call to match the removed parameter
upgrade.php:
- comment out upgrade_1345_mysql() which created the reply_type and
interval_time fields in the vacation table in mysql
- add upgrade_1610() to add the vacation.interval_time field
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1610 a1433add-5e2c-0410-b055-b7f2511e0802
- only allow @domain as target if $this->id is a catchall
- delete commented out version of delete()
- better error messages
languages/*.lang
- add new texts needed for AliasHandler
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1587 a1433add-5e2c-0410-b055-b7f2511e0802