function ok_to_impersonate($euid, $uid) { global $dbh; // It's harmless to impersonate yourself ;) if ($euid == $uid && $euid > 0 && $uid > 0) { return true; } else { // Domain default users can be impersonated by admins // responsible for those domains, and the superadmin. // Only the superadmin can impersonate the system default // user (@.). if (is_a_domain_default_user($euid) || get_config_value("enable_privacy_invasion") == "Y") { if (is_superadmin($uid)) { return true; } else { if (is_a_domain_default_user($euid)) { $domain_id = get_domain_id(get_user_name($euid)); return is_admin_for_domain($uid, $domain_id); } else { if (!is_superadmin($euid)) { $sth = $dbh->prepare("SELECT email FROM users WHERE maia_user_id = ?"); $res = $sth->execute(array($euid)); if (PEAR::isError($sth)) { die($sth->getMessage()); } while ($row = $res->fetchRow()) { $domain_id = get_domain_id("@" . get_domain_from_email($row["email"])); if (is_admin_for_domain($uid, $domain_id)) { $sth->free(); return true; } } $sth->free(); return false; } else { return false; } } } // Impersonating other users is an invasion of privacy, // even for administrators, unless explicitly overridden above. } else { return false; } } }
function add_domain($domain_name) { global $dbh; global $logger; if (get_domain_id($domain_name) != 0) { $logger->warning("Attempt to add duplicate domain:" . $domain_name); return 0; } // get default autocreation policy $default_policies = get_default_domain_policies(); $default_autocreation_policy = $default_policies['autocreation']; $default_transport = $default_policies['transport']; $routing_domain = substr($domain_name, 1); // Add the domain to the maia_domains table $sth = $dbh->prepare("INSERT INTO maia_domains (domain, enable_user_autocreation, routing_domain, transport) VALUES (?,?,?,?)"); $sth->execute(array($domain_name, $default_autocreation_policy, $routing_domain, $default_transport)); if (PEAR::isError($sth)) { die($sth->getMessage()); } $sth->free(); $sth = $dbh->prepare("SELECT id FROM maia_domains WHERE domain = ?"); $res = $sth->execute(array($domain_name)); if (PEAR::isError($sth)) { die($sth->getMessage()); } if ($row = $res->fetchrow()) { $domain_id = $row["id"]; } $sth->free(); // Add a new policy for the domain, based on the // system defaults. $policy_id = add_policy($domain_name); // Add the domain address to the users table $primary_email_id = add_address_to_user($policy_id, $domain_name, 0, $domain_id); $default_user_config = get_maia_user_row(get_user_id("@.", "@.")); // Add a domain default user to the maia_users table $sth = $dbh->prepare("INSERT INTO maia_users (user_name, primary_email_id, reminders, discard_ham, theme_id) VALUES (?, ?, 'N', ?, ?)"); $sth->execute(array($domain_name, $primary_email_id, $default_user_config["discard_ham"], $default_user_config["theme_id"])); if (PEAR::isError($sth)) { die($sth->getMessage()); } $sth->free(); $sth = $dbh->prepare("SELECT id FROM maia_users WHERE user_name = ?"); $res = $sth->execute(array($domain_name)); if (PEAR::isError($sth)) { die($sth->getMessage()); } if ($row = $res->fetchrow()) { $maia_user_id = $row["id"]; } $sth->free(); // Update the users table to link the e-mail address back to the domain $sth = $dbh->prepare("UPDATE users SET maia_user_id = ? WHERE id = ?"); $sth->execute(array($maia_user_id, $primary_email_id)); if (PEAR::isError($sth)) { die($sth->getMessage()); } return $domain_id; }
$enable_address_linking = $row["enable_address_linking"] == 'Y'; } $sth->free(); $super = is_superadmin($uid); require_once "smarty.php"; $smarty->assign('enable_charts', $enable_charts); $smarty->assign('reminder_threshold_count', $reminder_threshold_count); $smarty->assign('enable_spamtraps', $enable_spamtraps); $smarty->assign('enable_username_changes', $enable_username_changes); $smarty->assign('enable_address_linking', $enable_address_linking); $smarty->assign("message", $message); // verify and set up domain variables if the current focus is a domain user if (is_a_domain_default_user($euid)) { $domain_user = true; $domain_name = get_user_name($euid); $domain_id = get_domain_id($domain_name); } else { $domain_user = false; $domain_name = ""; $domain_id = ""; } $smarty->assign('domain_user', $domain_user); $smarty->assign('domain_name', $domain_name); $smarty->assign('domain_id', $domain_id); $smarty->assign("euid", $euid); $smarty->assign('super', $super); //verify that the supplied address is valid for the current user if (isset($_GET["addid"])) { $address_id = trim($_GET["addid"]); if (get_email_address_owner($address_id) != $euid) { header("Location: index.php{$sid}");
header("Location: index.php" . $sid); exit; } $id = trim($_GET["id"]); // Make sure this administrator has the right to impersonate // this specific user. $privilege = false; if (is_a_domain_default_user($id)) { $domain_id = get_domain_id(get_user_name($id)); $privilege = is_admin_for_domain($uid, $domain_id); } else { if (!is_superadmin($uid)) { $select = "SELECT email FROM users WHERE maia_user_id = ?"; $sth = $dbh->query($select, array($id)); while (!$privilege && ($row = $sth->fetchRow())) { $domain_id = get_domain_id("@" . get_domain_from_email($row["email"])); $privilege = is_admin_for_domain($uid, $domain_id); } $sth->free(); } else { // superadmin gets privs $privilege = true; } } if ($id < 1 || !$privilege) { header("Location: admindex.php" . $sid); exit; } // Assume the user's UID as our EUID $_SESSION["euid"] = $id; // Go to the main page as if the user we're impersonating
$logger->err("xsettings.php: address_id not found."); header("Location: index.php{$msid}"); exit; } $sth = $dbh->prepare("SELECT policy_id, email, maia_user_id FROM users\n WHERE users.maia_user_id = ? AND users.id = ?"); $res = $sth->execute(array($euid, $address_id)); if (PEAR::isError($sth)) { die($sth->getMessage()); } if ($res->numRows() == 0) { $logger->err("xsettings.php: address_id doesn't belong to effective user: {$address_id}"); header("Location: logout.php"); exit; } $row = $res->fetchRow(); if (!(is_admin_for_domain($uid, get_domain_id("@" . get_domain_from_email($row["email"]))) || $super || $row["maia_user_id"] == $euid)) { $logger->err("xsettings.php: failed security check."); header("Location: logout.php"); exit; } $policy_id = $row['policy_id']; $sth->free(); $sth = $dbh->prepare("SELECT virus_lover, " . "spam_lover, " . "banned_files_lover, " . "bad_header_lover, " . "bypass_virus_checks, " . "bypass_spam_checks, " . "bypass_banned_checks, " . "bypass_header_checks, " . "discard_viruses, " . "discard_spam, " . "discard_banned_files, " . "discard_bad_headers, " . "spam_modifies_subj, " . "spam_tag_level, " . "spam_tag2_level, " . "spam_kill_level " . "FROM policy WHERE id = ?"); $res = $sth->execute(array($policy_id)); if (PEAR::isError($sth)) { die($sth->getMessage()); } if ($row = $res->fetchRow()) { $default_quarantine_viruses = $row["virus_lover"] == "N"; $default_quarantine_spam = $row["spam_lover"] == "N"; $default_quarantine_banned_files = $row["banned_files_lover"] == "N";