function ok_to_impersonate($euid, $uid)
{
    global $dbh;
    // It's harmless to impersonate yourself ;)
    if ($euid == $uid && $euid > 0 && $uid > 0) {
        return true;
    } else {
        // Domain default users can be impersonated by admins
        // responsible for those domains, and the superadmin.
        // Only the superadmin can impersonate the system default
        // user (@.).
        if (is_a_domain_default_user($euid) || get_config_value("enable_privacy_invasion") == "Y") {
            if (is_superadmin($uid)) {
                return true;
            } else {
                if (is_a_domain_default_user($euid)) {
                    $domain_id = get_domain_id(get_user_name($euid));
                    return is_admin_for_domain($uid, $domain_id);
                } else {
                    if (!is_superadmin($euid)) {
                        $sth = $dbh->prepare("SELECT email FROM users WHERE maia_user_id = ?");
                        $res = $sth->execute(array($euid));
                        if (PEAR::isError($sth)) {
                            die($sth->getMessage());
                        }
                        while ($row = $res->fetchRow()) {
                            $domain_id = get_domain_id("@" . get_domain_from_email($row["email"]));
                            if (is_admin_for_domain($uid, $domain_id)) {
                                $sth->free();
                                return true;
                            }
                        }
                        $sth->free();
                        return false;
                    } else {
                        return false;
                    }
                }
            }
            // Impersonating other users is an invasion of privacy,
            // even for administrators, unless explicitly overridden above.
        } else {
            return false;
        }
    }
}
Example #2
0
function add_domain($domain_name)
{
    global $dbh;
    global $logger;
    if (get_domain_id($domain_name) != 0) {
        $logger->warning("Attempt to add duplicate domain:" . $domain_name);
        return 0;
    }
    // get default autocreation policy
    $default_policies = get_default_domain_policies();
    $default_autocreation_policy = $default_policies['autocreation'];
    $default_transport = $default_policies['transport'];
    $routing_domain = substr($domain_name, 1);
    // Add the domain to the maia_domains table
    $sth = $dbh->prepare("INSERT INTO maia_domains (domain, enable_user_autocreation, routing_domain, transport) VALUES (?,?,?,?)");
    $sth->execute(array($domain_name, $default_autocreation_policy, $routing_domain, $default_transport));
    if (PEAR::isError($sth)) {
        die($sth->getMessage());
    }
    $sth->free();
    $sth = $dbh->prepare("SELECT id FROM maia_domains WHERE domain = ?");
    $res = $sth->execute(array($domain_name));
    if (PEAR::isError($sth)) {
        die($sth->getMessage());
    }
    if ($row = $res->fetchrow()) {
        $domain_id = $row["id"];
    }
    $sth->free();
    // Add a new policy for the domain, based on the
    // system defaults.
    $policy_id = add_policy($domain_name);
    // Add the domain address to the users table
    $primary_email_id = add_address_to_user($policy_id, $domain_name, 0, $domain_id);
    $default_user_config = get_maia_user_row(get_user_id("@.", "@."));
    // Add a domain default user to the maia_users table
    $sth = $dbh->prepare("INSERT INTO maia_users (user_name, primary_email_id, reminders, discard_ham, theme_id) VALUES (?, ?, 'N', ?, ?)");
    $sth->execute(array($domain_name, $primary_email_id, $default_user_config["discard_ham"], $default_user_config["theme_id"]));
    if (PEAR::isError($sth)) {
        die($sth->getMessage());
    }
    $sth->free();
    $sth = $dbh->prepare("SELECT id FROM maia_users WHERE user_name = ?");
    $res = $sth->execute(array($domain_name));
    if (PEAR::isError($sth)) {
        die($sth->getMessage());
    }
    if ($row = $res->fetchrow()) {
        $maia_user_id = $row["id"];
    }
    $sth->free();
    // Update the users table to link the e-mail address back to the domain
    $sth = $dbh->prepare("UPDATE users SET maia_user_id = ? WHERE id = ?");
    $sth->execute(array($maia_user_id, $primary_email_id));
    if (PEAR::isError($sth)) {
        die($sth->getMessage());
    }
    return $domain_id;
}
Example #3
0
    $enable_address_linking = $row["enable_address_linking"] == 'Y';
}
$sth->free();
$super = is_superadmin($uid);
require_once "smarty.php";
$smarty->assign('enable_charts', $enable_charts);
$smarty->assign('reminder_threshold_count', $reminder_threshold_count);
$smarty->assign('enable_spamtraps', $enable_spamtraps);
$smarty->assign('enable_username_changes', $enable_username_changes);
$smarty->assign('enable_address_linking', $enable_address_linking);
$smarty->assign("message", $message);
// verify and set up domain variables if the current focus is a domain user
if (is_a_domain_default_user($euid)) {
    $domain_user = true;
    $domain_name = get_user_name($euid);
    $domain_id = get_domain_id($domain_name);
} else {
    $domain_user = false;
    $domain_name = "";
    $domain_id = "";
}
$smarty->assign('domain_user', $domain_user);
$smarty->assign('domain_name', $domain_name);
$smarty->assign('domain_id', $domain_id);
$smarty->assign("euid", $euid);
$smarty->assign('super', $super);
//verify that the supplied address is valid for the current user
if (isset($_GET["addid"])) {
    $address_id = trim($_GET["addid"]);
    if (get_email_address_owner($address_id) != $euid) {
        header("Location: index.php{$sid}");
    header("Location: index.php" . $sid);
    exit;
}
$id = trim($_GET["id"]);
// Make sure this administrator has the right to impersonate
// this specific user.
$privilege = false;
if (is_a_domain_default_user($id)) {
    $domain_id = get_domain_id(get_user_name($id));
    $privilege = is_admin_for_domain($uid, $domain_id);
} else {
    if (!is_superadmin($uid)) {
        $select = "SELECT email FROM users WHERE maia_user_id = ?";
        $sth = $dbh->query($select, array($id));
        while (!$privilege && ($row = $sth->fetchRow())) {
            $domain_id = get_domain_id("@" . get_domain_from_email($row["email"]));
            $privilege = is_admin_for_domain($uid, $domain_id);
        }
        $sth->free();
    } else {
        // superadmin gets privs
        $privilege = true;
    }
}
if ($id < 1 || !$privilege) {
    header("Location: admindex.php" . $sid);
    exit;
}
// Assume the user's UID as our EUID
$_SESSION["euid"] = $id;
// Go to the main page as if the user we're impersonating
Example #5
0
     $logger->err("xsettings.php: address_id not found.");
     header("Location: index.php{$msid}");
     exit;
 }
 $sth = $dbh->prepare("SELECT policy_id, email, maia_user_id FROM users\n                   WHERE users.maia_user_id = ? AND users.id = ?");
 $res = $sth->execute(array($euid, $address_id));
 if (PEAR::isError($sth)) {
     die($sth->getMessage());
 }
 if ($res->numRows() == 0) {
     $logger->err("xsettings.php: address_id doesn't belong to effective user: {$address_id}");
     header("Location: logout.php");
     exit;
 }
 $row = $res->fetchRow();
 if (!(is_admin_for_domain($uid, get_domain_id("@" . get_domain_from_email($row["email"]))) || $super || $row["maia_user_id"] == $euid)) {
     $logger->err("xsettings.php: failed security check.");
     header("Location: logout.php");
     exit;
 }
 $policy_id = $row['policy_id'];
 $sth->free();
 $sth = $dbh->prepare("SELECT virus_lover, " . "spam_lover, " . "banned_files_lover, " . "bad_header_lover, " . "bypass_virus_checks, " . "bypass_spam_checks, " . "bypass_banned_checks, " . "bypass_header_checks, " . "discard_viruses, " . "discard_spam, " . "discard_banned_files, " . "discard_bad_headers, " . "spam_modifies_subj, " . "spam_tag_level, " . "spam_tag2_level, " . "spam_kill_level " . "FROM policy WHERE id = ?");
 $res = $sth->execute(array($policy_id));
 if (PEAR::isError($sth)) {
     die($sth->getMessage());
 }
 if ($row = $res->fetchRow()) {
     $default_quarantine_viruses = $row["virus_lover"] == "N";
     $default_quarantine_spam = $row["spam_lover"] == "N";
     $default_quarantine_banned_files = $row["banned_files_lover"] == "N";