- html-escape flash_info() / flash_error() messages to fix XSS if the
message contains user-supplied input
(thanks to Filippo Cavallarin for the report)
Note: This will cause ugly output for some german error messages which
contain ü etc., and the warning message in backup.php (with some
HTML tags included) will also look totally ugly.
Nevertheless, that's still better than XSS attacks ;-)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1331 a1433add-5e2c-0410-b055-b7f2511e0802
- PHP around 5.3.8 includes hex2bin as native function - http://php.net/hex2bin
therefore we have to wrap our function (which fortunately gives the same
results) with function_exists().
Reported by MadOtis on #postfixadmin
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1328 a1433add-5e2c-0410-b055-b7f2511e0802
- deleted, obsoleted by edit.php?table=alias
functions.inc.php:
- drop function check_alias() - it was only used by create-alias.php
(AliasHandler has a similar function create_allowed(), which is a
copy of check_alias() with superfluous {...} removed)
configs/menu.conf
- replace create-alias.php with edit.php?table=alias
- append "?" to url_create_mailbox to avoid temporary change in menu.tpl
(create-mailbox is the only one which still needs ? instead of &)
templates/list-virtual.tpl:
- use {#url_create_alias#} instead of hardcoded create-alias.php
templates/menu.tpl:
- $url_domain: url-escape domain, use & instead of ?
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1317 a1433add-5e2c-0410-b055-b7f2511e0802
- override init() - change '*@domain' -> '@domain', then call parent::init()
- validate_new_id(): allow catchall ('@domain'), check only domain in this case
- create_allowed(): copy of check_alias() from functions.inc.php, with
superfluous { ... } removed
- remove forgotten debugging from mergeId()
- _field_goto():
- allow '@domain' targets (domain-wide forward)
- use an array to collect error messages - that avoids 'uninitialized'
warnings and allows to easily change the join() glue if needed
Overall status:
- create-alias is now fully supported
- handling of vacation and mailbox aliases is still on my TODO list, which
means we still need edit-alias for now
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1316 a1433add-5e2c-0410-b055-b7f2511e0802
- New target prep: Create a needed tar.gz file to build a non-nativ .dpkg
- New target build-package: Call this target to build a shiny new .dpkg file.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1313 a1433add-5e2c-0410-b055-b7f2511e0802
(TODO: catchall handling, mailbox and vacation aliases)
AliasHandler.php
- drop unused $username
- set $domain_field
- initStruct():
- use correct labels
- set 'domain' field options to allowed domains
- add (virtual) 'localpart' field
- add comments for more virtual fields
- add webformConfig() (note: modifies $struct on $new - otherwise we
couldn't use the domain dropdown in the web interface)
- add mergeId to merge localpart and domain to address (called by
edit.php _before_ ->init)
- add validate_new_id() (doesn't work for catchall yet)
- add setmore() to
- fill 'domain' based on 'address'
- convert $values[goto] from array to comma-separated string
- add read_from_db_postprocess to split goto to an array
(TODO: handling of mailbox and vacation aliases)
- add _field_goto() validator
- add empty, commented dummy delete() that will replace the "old"
delete function one day
- make hasAliasRecord() private (only used internally)
- mark all "old" functions as obsolete
edit.php:
- add handling of txtl field (convert textarea to array)
- call $handler->mergeId if $id_field is editable, but not displayed
in form (usecase: merge localpart + domain to address)
editform.tpl:
- add handling of txtl fields (textarea, filled by array)
PFAHandler.php:
- add setmore() hook function - runs at the end of set()
AdminHandler.php:
- add a comment for 'txtl' (array of one line texts, like alias goto)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1311 a1433add-5e2c-0410-b055-b7f2511e0802
- add initStruct() (not the final version, but works for now)
- add initMsg()
- replace $this->username with $this->id everywhere
- drop __construct() - default __construct will be used now
users/edit-alias.php, xmlrpc.php, VacationHandler.php, scripts/shells/alias.php:
- use default init sequence for AliasHandler (new, then ->init())
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1310 a1433add-5e2c-0410-b055-b7f2511e0802
- use edit.php to switch active status for alias domains
edit-active.php:
- remove now superfluous handling of alias domains
configs/menu.conf:
- remove now superfluous url_edit_active (templates for list-mailbox
and list-alias use hardcoded 'edit-active.php')
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1308 a1433add-5e2c-0410-b055-b7f2511e0802
- use edit.php to switch active status for domains
edit-active-admin.php:
- deleted, obsoleted by using edit.php
configs/menu.conf:
- remove now superfluous url_edit_active_admin
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1307 a1433add-5e2c-0410-b055-b7f2511e0802
- use edit.php to switch active status for domains
- display backupmx and active status as yes/no instead of 1/0
edit-active-domain.php
- deleted, obsoleted by using edit.php
configs/menu.conf
- remove now superfluous url_edit_active_domain
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1306 a1433add-5e2c-0410-b055-b7f2511e0802
- implement switching active status using *Handler
(uses additional 'active' url parameter, which must be 0 or 1)
- document GET parameters
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1305 a1433add-5e2c-0410-b055-b7f2511e0802
- add rewritten function create_admin() (now using AdminHandler,
which means 25 instead of 80 lines)
- various follow-up changes to match the rewritten function create_admin()
functions.inc.php:
- delete function create_admin() - setup.php was the last file calling it
- honor POSTFIXADMIN_SETUP in authentification_get_username() to avoid
a redirect to login.php after creating an admin with setup.php and to
get "SETUP.PHP" for db_log()
model/AdminHandler.php:
- add TODO: implement generate_password
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1301 a1433add-5e2c-0410-b055-b7f2511e0802
- allow log actions create_admin and edit_admin
- add edit_admin_state and delete_admin as comment/reminder that they
should also be logged
*.lang:
- add text for the new "create admin" and "edit admin" log actions
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1298 a1433add-5e2c-0410-b055-b7f2511e0802
- store unchecked input values given to set() in $this->RAWvalues before
running the validation functions. This is needed to make comparing
password and password2 possible.
(uppercase RAW intentional to make usage harder - hopefully hard enough
to give everybody who wants to use it some time to think over secure
programming when working with unchecked input ;-)
AdminHandler.php:
- compare password and password2
This commit means AdminHandler is complete :-)
(Note: db_log can't handle the admin-related log actions yet.)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1297 a1433add-5e2c-0410-b055-b7f2511e0802
- fix field type for skipping password fields (must be 'pass', not 'password')
- implement validation of 'pass' fields with validate_password()
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1293 a1433add-5e2c-0410-b055-b7f2511e0802
- add empty no_domain_field() to disable default die() from PFAHandler
- $struct:
- changed 'superadmin' to normal bool field (+ TODO note)
- changed 'password2' to be an alias of password in SELECT
- init 'domains' default with array() and options with list_domains(),
- storemore():
- implement storing domains in domain_admins table
- implement storing ALL in domain_admins table for superadmins to
keep the database backwards-compatible with 2.3.x for now
- add read_from_db_postprocess() to convert the domains list to an array
This makes AdminHandler working with edit.php?table=admin
(Some fine-tuning at various places/files is still missing.)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1291 a1433add-5e2c-0410-b055-b7f2511e0802
- implement handling of 'list' fields (<select> with multiple choices
allowed)
- also include alternative implementation with checkboxes (commented out)
- change {$value_{$key}} to $value_{$key} for 'enum' to stay in sync
with 'list' ('list' fails with the additional {...} because it converts
the array to the string "Array") (seems to be new behaviour in Smarty
3.1.5 - IIRC 3.0.7 required the additional {...})
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1290 a1433add-5e2c-0410-b055-b7f2511e0802
- use SmartyBC (Backwards Compatible) instead of Smarty class to keep
{php} in templates working (do we really need this?)
- remove obsolete allow_php_tag
- config_dir default value is now an array
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1289 a1433add-5e2c-0410-b055-b7f2511e0802
- also include column in SELECT if display_in_form != 0
- call read_from_db_postprocess() hook before returning data
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1287 a1433add-5e2c-0410-b055-b7f2511e0802
- split code to handle domain_field == "" && admin_username != ""
from __construct() to no_domain_field().
Default behaviour stays to die(), but AdminHandler will override it
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1286 a1433add-5e2c-0410-b055-b7f2511e0802
- upgrade_1284(): migrate the ALL domain to the superadmin column
Note: The ALL domain is not (yet) deleted to stay backwards-compatible
for now (will be done in a later upgrade function)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1284 a1433add-5e2c-0410-b055-b7f2511e0802
- upgrade_1283(): add a "superadmin" column to the admin table
This is the first step to get rid of the "ALL" dummy domain.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1283 a1433add-5e2c-0410-b055-b7f2511e0802
- use AdminHandler
- move displaying the superadmin flag to the template
templates/adminlistadmin.tpl:
- update to the fieldnames provided by AdminHandler (name->username)
- move displaying the superadmin flag to the template
functions.inc.php:
- delete function get_admin_properties() (was only used by list-admin
and is not needed anymore) -> 48 lines less :-)
- add TODO to list_admins() to use AdminHandler
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1282 a1433add-5e2c-0410-b055-b7f2511e0802
- add log action 'edit_alias_domain'
- update outdated comment to point to $action_list instead of
maintaining the list as comment _and_ variable
languages/*.lang
- add $PALANG['pViewlog_action_edit_alias_domain']
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1278 a1433add-5e2c-0410-b055-b7f2511e0802
(yes, we get edit mode "for free")
model/AliasdomainHandler.php:
- add webformConfig()
configs/menu.conf:
- change url_create_alias_domain to edit.php?table=aliasdomain
templates/list-virtual_alias_domain.tpl
- change ?target_domain to &target_domain
(TODO: this is currently ignored by edit.php)
- add edit link (TODO: add log action to avoid the error message)
create-alias-domain.php:
- deleted :-)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1275 a1433add-5e2c-0410-b055-b7f2511e0802
edit.php:
- use ?table= parameter to decide what will be edited
- generate (and validate) Handler classname based on ?table=
- read handler-specific configuration from $handler->webformConfig()
and use it at various places
- add option to run $handler->init() early. Useful for $new in case
of AliasdomainHandler which might fail if all domains are already
aliased.
- always redirect to edit.php?table=$table after adding an item to
ensure correct initialization for next item
templates/editform.tpl:
- add hidden field "table"
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1274 a1433add-5e2c-0410-b055-b7f2511e0802