The improvements are:
- Die with an explicit message when a user is trying to reset his lost password and the option is disabled in config
- Redirect user to main page after password change using relative URL
- Don't leak info whether user exists or has recovery info defined
- Throttle password reset requests to prevent brute force attacks
- Show phone/alt email fields in mailbox/admin edit form only when the password reset option is enabled
- Make database upgrade code compatible with other databases types
- Use the existing password generator to generate OTP. It is now stored in database, unique to each user, valid only for 1 hour and can only by used once.
This replaces the hardcoded "LIMIT 10" with "LIMIT <page_size>".
Patch by Dan <dannyro @SF>, https://sourceforge.net/p/postfixadmin/patches/133/
Additional change on top of Dan's patch:
- wrap $CONF['page_size'] in intval() to avoid that a broken config
setting can break or exploit the query
* Make it possible by config option that non global admins can send
broadcast messages to their domains.
* Allow the sender to select the domains the broadcast message should be
delivered to
* Allow the sender to decide if the broadcast message should just be
delivered to mailboxes
Simplify hiding the software update check from display. Not really for security. More for aesthetics; and keeping the more basic users from questioning it. Add #update-check {display: none;} to your custom css. See related feature patch: https://sourceforge.net/p/postfixadmin/patches/134/
- 'itemkey' escaping again. I found another corner case that was broken
with |escape:"html". Therefore switch to the exact htmlentities() call
that we use in smarty.inc.php.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1827 a1433add-5e2c-0410-b055-b7f2511e0802
- getting the key from $RAW_item.$id_field turned out to be broken in
corner cases, leading to empty output. The better (and simpler) fix is
to just let the foreach loop set 'itemkey'.
- the example for special handling of a specific table and field
contained a superfluous </tr>
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1826 a1433add-5e2c-0410-b055-b7f2511e0802
list-virtual and viewlog were the last users of select_options()
smarty.inc.php:
- drop (now unused) select_options()
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1822 a1433add-5e2c-0410-b055-b7f2511e0802
- base edit, editactive and delete links on $RAW_item to avoid double
escaping ($items is already html-escaped, and we url-escape it for
links). This fixes the remaining part of
http://sourceforge.net/p/postfixadmin/bugs/356/
- simplify displaying "html" fields by using $RAW_item. This also fixes
problems with funny[tm] item names that differ when html-encoded (like
the ' char)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1812 a1433add-5e2c-0410-b055-b7f2511e0802
- display the "Go" button only if javascript is disabled (the dropdowns
have an onchange event defined, which makes the "Go" button superfluous)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1780 a1433add-5e2c-0410-b055-b7f2511e0802
- improve headline:
- in search mode, display the search term instead of the last selected
domain (which isn't useful at all when displaying search results)
- display number of aliases and mailboxes only in domain mode (they
are useless/wrong in search mode)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1779 a1433add-5e2c-0410-b055-b7f2511e0802
list-virtual.php:
- use list.tpl for aliases
- move show_gen_status handling for aliases to AliasHandler
AliasHandler:
- initStruct():
- add 'status' column (hidden by default)
- hide 'created'
- move 'active' after 'modified' to match old list-virtual.php layout
- initMsg: add list_header
- webformConfig(): if $CONF[show_status], set display_in_list for
'status' column. Also set a (whitespace) label to make sure it's
displayed
- db_read_from_db_postprocess(): if 'status' column is requested, call
gen_show_status() for each row
list-virtual.tpl
- remove alias table header and create alias button (which should have
been in list-virtual_alias.tpl)
list-virtual_alias.tpl:
- replace code to generate the alias table with {include 'list.tpl'}
(and some variable assignments)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1777 a1433add-5e2c-0410-b055-b7f2511e0802
- add support for list_header (like ":: Alias" in list-virtual)
PFAHandler:
- add empty default for $msg['list_header']
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1776 a1433add-5e2c-0410-b055-b7f2511e0802
- assign(): additionally provide the unsanitized values as RAW_$key
PFAHandler.php:
- document 'html' field type (used for raw html), including a big warning
list.tpl:
- add handling to display raw html fields
This is a preparation to use the status markers with list.tpl without
introducing too big changes.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1775 a1433add-5e2c-0410-b055-b7f2511e0802
- initStruct(): replace (wrong) 'editable' with '_can_edit' and '_can_delete'
- read_from_db_postprocess(): disable _can_edit and _can_delete for
default aliases if special_alias_control is off and not superadmin
list.tpl:
- use $item._can_edit instead of $check_alias_owner
list-virtual.php:
- drop $check_alias_owner variable and check_alias_owner() call
(replaced by the code added in AliasHandler)
- drop unused $sql_domain
functions.inc.php:
- delete no longer used check_alias_owner() function
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1774 a1433add-5e2c-0410-b055-b7f2511e0802
User-visible changes:
- alias domain list can be downloaded as CSV
- no more search highlighting for alias domains
list-virtual.php:
- expect $search to be an array
- change alias domain handling to use list.php instead of
list-virtual_alias_domain.tpl, and move some logic from the template
to list-virtual.php. (The template file is kept as list.tpl wrapper.)
- adopt mailbox and alias search to $search[_]
- adopt pagebrowser to $search[_]
list-virtual_alias_domain.tpl:
- replace custom output generation with {include 'list.php'} and some
variable assignments
PFAHandler.php:
- add $this->id_field to $this->msg (avoids another smarty template
variable)
configs/menu.conf:
- change input name to search[_]
list-virtual_alias.tpl, list-virtual_mailbox.tpl:
- adopt to $search[_] by setting $search in a backwards-compatible way
list.tpl:
- add special handling for aliasdomain.target_domain linking
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1773 a1433add-5e2c-0410-b055-b7f2511e0802
- add protected $searchfields = array(); - list of fields to search by
default, if just a search term is given. This will be done with
$search['_'], but that code is not implemented yet.
- add $this->msg['show_simple_search'] (true if $searchfields is non-empty)
list.tpl:
- display search input box and search overview only if $searchfields is
not empty
AliasdomainHandler:
- add 'alias_domain' and 'target_domain' to $searchfields
MailboxHandler:
- add 'username' to $searchfields
AliasHandler:
- add 'address' and 'goto' to $searchfields
This effectively means that the search input box is no longer displayed
in list.php for admin, domain and fetchmail listings.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1770 a1433add-5e2c-0410-b055-b7f2511e0802
PFAHandler:
- add $msg['can_create'] (true by default)
DomainHandler:
- set $msg['can_create'] based on is_superadmin
list.tpl:
- display 'create' button only if $msg['can_create'] is true
Note: This is only an optical improvement, not a permission check.
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1769 a1433add-5e2c-0410-b055-b7f2511e0802
- add support for 'b64p' fields (passwords stored base64-encoded)
as preparation to migrate fetchmail.php to FetchmailHandler
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1750 a1433add-5e2c-0410-b055-b7f2511e0802