Commit Graph

291 Commits (ba47f2df2ab18453fa46271372033dcd9a66440a)

Author SHA1 Message Date
Sylvain Tissot ffb84283c2
Harden password reset process
The improvements are:

- Die with an explicit message when a user is trying to reset his lost password and the option is disabled in config
- Redirect user to main page after password change using relative URL
- Don't leak info whether user exists or has recovery info defined
- Throttle password reset requests to prevent brute force attacks
- Show phone/alt email fields in mailbox/admin edit form only when the password reset option is enabled
- Make database upgrade code compatible with other databases types
- Use the existing password generator to generate OTP. It is now stored in database, unique to each user, valid only for 1 hour and can only by used once.
7 years ago
David Goodwin 8bb6000072 Merge pull request #60 from Vilican/master
Security fixes
7 years ago
Matyáš Koc 3c95ec4a09 Add CSRF token 7 years ago
Sylvain Tissot 9c9ba64a7f Allows a user or admin to reset his/her forgotten password with a code sent by email/SMS #18 7 years ago
Matyáš Koc e903484692 Links with target="_blank" should have rel="noopener" 7 years ago
Christian Boltz 4d9a0717d0 Merge pull request #26 from medarion/master
added config option to disable "edit_alias" function for users
7 years ago
Jan-Frederik Rieckers 54532e7cee
Fix issue with checkbox in broadcast 8 years ago
Christian Boltz 8aecf3eae3 Merge branch 'master' into broadcast_improvements 8 years ago
Christian Boltz 67a6d0e27a
use $CONF[page_size] in viewlog.php
This replaces the hardcoded "LIMIT 10" with "LIMIT <page_size>".

Patch by Dan <dannyro @SF>, https://sourceforge.net/p/postfixadmin/patches/133/

Additional change on top of Dan's patch:
- wrap $CONF['page_size'] in intval() to avoid that a broken config
  setting can break or exploit the query
8 years ago
Martin Oemus 9aba43ee48 added config option to disable "edit_alias" function for users 8 years ago
Christian Boltz 04e54508e5 Merge pull request #19 from rmcaninch/rmcaninch-patch-1
add css id #update-check to footer.tpl

This allows to hide the "check for updates" link using a custom CSS with '#update-check { display:none; }'
8 years ago
Jan-Frederik Rieckers 3c360f646f
Switch config item for broadcast.
The new config item is now `sendmail_all_admins`
8 years ago
Jan-Frederik Rieckers 3c3d844130
Improve the broadcast message tool
* Make it possible by config option that non global admins can send
  broadcast messages to their domains.
* Allow the sender to select the domains the broadcast message should be
  delivered to
* Allow the sender to decide if the broadcast message should just be
  delivered to mailboxes
8 years ago
rmcaninch 137c9ac9d1 css id update-check added to footer.tpl
Simplify hiding the software update check from display. Not really for security. More for aesthetics; and keeping the more basic users from questioning it. Add #update-check {display: none;} to your custom css. See related feature patch: https://sourceforge.net/p/postfixadmin/patches/134/
8 years ago
Christian Boltz 74130b478c list-virtual.tpl: add missing "download as CSV" for mailboxes
Reported by Dan <dannyro @SF> in
https://sourceforge.net/p/postfixadmin/patches/135/

Note that I'm using a completely different patch to fix it.


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1880 a1433add-5e2c-0410-b055-b7f2511e0802
8 years ago
Christian Boltz 52a7df2b3a Add CSRF protection for POST requests
Add the CSRF token to all forms, and validate it when those forms are
submitted.

https://sourceforge.net/p/postfixadmin/bugs/372/



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1842 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 530c489ec4 editform.tpl:
- add {if} block for description column to make customization for
  special fields/cases easier


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1829 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 2102c1baa8 list.tpl:
- 'itemkey' escaping again. I found another corner case that was broken
  with |escape:"html". Therefore switch to the exact htmlentities() call
  that we use in smarty.inc.php.


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1827 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 48dde6468a list.tpl:
- getting the key from $RAW_item.$id_field turned out to be broken in
  corner cases, leading to empty output. The better (and simpler) fix is
  to just let the foreach loop set 'itemkey'.
- the example for special handling of a specific table and field
  contained a superfluous </tr>




git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1826 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz ba46282f92 use smarty html_options instead of select_options()
list-virtual and viewlog were the last users of select_options()

smarty.inc.php:
- drop (now unused) select_options()



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1822 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 085e7e4bfb list.tpl:
- base edit, editactive and delete links on $RAW_item to avoid double
  escaping ($items is already html-escaped, and we url-escape it for
  links). This fixes the remaining part of
  http://sourceforge.net/p/postfixadmin/bugs/356/
- simplify displaying "html" fields by using $RAW_item. This also fixes
  problems with funny[tm] item names that differ when html-encoded (like
  the ' char)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1812 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 680e96b590 list-virtual_alias_domain:
- also assign RAW_items (from $RAW_tAliasDomains)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1811 a1433add-5e2c-0410-b055-b7f2511e0802
9 years ago
Christian Boltz 7cf10f81a7 list*.tpl
- display the "Go" button only if javascript is disabled (the dropdowns
  have an onchange event defined, which makes the "Go" button superfluous)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1780 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 993c0ec2b6 list.tpl:
- improve headline:
  - in search mode, display the search term instead of the last selected
    domain (which isn't useful at all when displaying search results)
  - display number of aliases and mailboxes only in domain mode (they
    are useless/wrong in search mode)



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1779 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz d2a80adedc list-virtual.tpl:
- update/fix search part of subnav links (all/mailboxes/aliases/alias domains)
  for $search[_]


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1778 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 37bba15625 Use list.tpl to display the alias list
list-virtual.php:
- use list.tpl for aliases
- move show_gen_status handling for aliases to AliasHandler

AliasHandler:
- initStruct():
  - add 'status' column (hidden by default)
  - hide 'created'
  - move 'active' after 'modified' to match old list-virtual.php layout
- initMsg: add list_header
- webformConfig(): if $CONF[show_status], set display_in_list for
  'status' column. Also set a (whitespace) label to make sure it's
  displayed
- db_read_from_db_postprocess(): if 'status' column is requested, call
  gen_show_status() for each row

list-virtual.tpl
- remove alias table header and create alias button (which should have
  been in list-virtual_alias.tpl)

list-virtual_alias.tpl:
- replace code to generate the alias table with {include 'list.tpl'}
  (and some variable assignments)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1777 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz adc038e218 list.tpl:
- add support for list_header (like ":: Alias" in list-virtual)

PFAHandler:
- add empty default for $msg['list_header']


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1776 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 35fad174f7 smarty.inc.php:
- assign(): additionally provide the unsanitized values as RAW_$key

PFAHandler.php:
- document 'html' field type (used for raw html), including a big warning

list.tpl:
- add handling to display raw html fields

This is a preparation to use the status markers with list.tpl without
introducing too big changes.


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1775 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 3a72203de4 AliasHandler:
- initStruct(): replace (wrong) 'editable' with '_can_edit' and '_can_delete'
- read_from_db_postprocess(): disable _can_edit and _can_delete for
  default aliases if special_alias_control is off and not superadmin

list.tpl:
- use $item._can_edit instead of $check_alias_owner

list-virtual.php:
- drop $check_alias_owner variable and check_alias_owner() call
  (replaced by the code added in AliasHandler)
- drop unused $sql_domain

functions.inc.php:
- delete no longer used check_alias_owner() function



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1774 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 8043515fdf migrate search input field to use search[_], and use list.tpl for alias domains
User-visible changes:
- alias domain list can be downloaded as CSV
- no more search highlighting for alias domains

list-virtual.php:
- expect $search to be an array
- change alias domain handling to use list.php instead of
  list-virtual_alias_domain.tpl, and move some logic from the template
  to list-virtual.php. (The template file is kept as list.tpl wrapper.)
- adopt mailbox and alias search to $search[_]
- adopt pagebrowser to $search[_]

list-virtual_alias_domain.tpl:
- replace custom output generation with {include 'list.php'} and some
  variable assignments

PFAHandler.php:
- add $this->id_field to $this->msg (avoids another smarty template
  variable)

configs/menu.conf:
- change input name to search[_]

list-virtual_alias.tpl, list-virtual_mailbox.tpl:
- adopt to $search[_] by setting $search in a backwards-compatible way

list.tpl:
- add special handling for aliasdomain.target_domain linking



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1773 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 4ce0a57e83 PFAHandler:
- add protected $searchfields = array(); - list of fields to search by
  default, if just a search term is given. This will be done with
  $search['_'], but that code is not implemented yet.
- add $this->msg['show_simple_search'] (true if $searchfields is non-empty)

list.tpl:
- display search input box and search overview only if $searchfields is
  not empty

AliasdomainHandler:
- add 'alias_domain' and 'target_domain' to $searchfields

MailboxHandler:
- add 'username' to $searchfields

AliasHandler:
- add 'address' and 'goto' to $searchfields

This effectively means that the search input box is no longer displayed
in list.php for admin, domain and fetchmail listings.


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1770 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 6e5c8f8054 add 'can_create' flag
PFAHandler:
- add $msg['can_create'] (true by default)

DomainHandler:
- set $msg['can_create'] based on is_superadmin

list.tpl:
- display 'create' button only if $msg['can_create'] is true

Note: This is only an optical improvement, not a permission check.


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1769 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 4322486b21 delete fetchmail.php and templates/fetchmail.tpl
(replaced by FetchmailHandler)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1765 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz dd43f12e9b delete list-admin.php and its template, use list.php instead
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1754 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 64c6e9f0a0 list.tpl:
- fix displaying list and txtl fields


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1751 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz eb7e40cf94 PFAHandler, editform.tpl:
- add support for 'b64p' fields (passwords stored base64-encoded)
  as preparation to migrate fetchmail.php to FetchmailHandler


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1750 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 86dc74fd86 menu.tpl:
- display "view log" menu entry only if logging is enabled
  https://sourceforge.net/p/postfixadmin/patches/127/


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1748 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 6e82a41121 delete list-domain.php and its templates
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1747 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 1d35ba80ab model/DomainHandler.php:
- initStruct():
  - add optical quota indicators for aliases, mailboxes, domain quota
  - some adjustments to get nice output with list.php (mostly following
    list-domain.php)
- webformConfig(): switch listview to list.php

configs/menu.conf, templates/adminlistadmin.tpl:
- switch list-domain.php to list.php?table=domain



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1745 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 4bc2d5f691 list.tpl, default.css:
- format unlimited/disabled quota similar to x/y, but no border


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1743 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 6051729458 list.tpl:
- make "active" a link only if the record is editable


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1741 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 03b0c869dd list.php:
- add search support:
  - new parameters:
    - search[$field] - value to search for
    - searchmode[$field] - search mode (=, <, > etc.)
    - reset_search - if given, empty $search and $searchmode
  - remember $search and $searchmode via session
  - display errormsg and infomsg from $handler, if any
 
list.tpl:
- display current search parameters and a "[x]" link to remove all
  search parameters

This change doesn't add a search form, but you can use ?search[field]=
and ?searchmode[field]= URL parameters


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1732 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz d2490f6153 list.tpl:
- add support for $struct[linkto]



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1727 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 7a23b3cda8 list.tpl:
- add handling for quota fields (visual quota indicator)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1726 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz a826564962 list.php:
- add CSV export

list.tpl:
- add "export as CSV" link

*.lang:
- new text 'download_csv'


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1725 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 1e35c579b6 list.php, list.tpl:
- use smarty-style dropdown for admin dropdown instead of select_options()
- only display admin dropdown if more than one admin is available
  (which basically means hiding it for domain admins)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1723 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz b5a6417a6e add list.php and list.tpl - generic files to display lists
(will replace list-admin, list-domain etc.)

list.php:
- generic list view, select *Handler with ?table=

list.tpl:
- display list view
- columns based on $struct (every column with display_in_list and 
  non-empty label will be displayed)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1722 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 1ad0d6832b editform.tpl:
- display cleartext value instead of key for readonly enma fields


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1721 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz 3d58d1f092 editform.tpl:
- add handling for 'enma' fields (see PFAHandler r1711)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1720 a1433add-5e2c-0410-b055-b7f2511e0802
10 years ago
Christian Boltz e670bcd5b8 list-virtual_mailbox.tpl:
- fix: display quota if $CONF[used_quotas] == NO
  https://sourceforge.net/p/postfixadmin/bugs/307/



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1674 a1433add-5e2c-0410-b055-b7f2511e0802
11 years ago