$authenticated = PEAR::raiseError($lang['invalid_token']); } } else { $logger->err("unknown action"); $authenticated = PEAR::raiseError($lang['invalid_token']); } if (!ok_to_impersonate($euid, $uid)) { $logger->err("user {$uid} cannot impersonate {$euid}"); $authenticated = PEAR::raiseError($lang['invalid_token']); } } else { if ($auth_method == "imap") { $imap_address = get_rewritten_email_address($address, $address_rewriting_type); $user_name = get_user_from_email($imap_address); } elseif ($auth_method == "pop3" && empty($routing_domain)) { $user_name = get_user_from_email($address); } elseif ($auth_method == "external") { $user_name = ereg_replace('@.*$', '', $user_name); // FIXME there has to be a better way to do this. It implements the // assumption (valid here) that the LHS of all addresses that need to // be authenticated against is the user name. But some things just didn't // work right until I added this code. } list($authenticated, $email) = auth($user_name, $pwd, $address, $nt_domain); if ($authenticated === true) { if (is_primary_email($email)) { $owner_id = get_email_address_owner(get_email_address_id($email)); $uid = get_user_id($user_name, $email); if ($owner_id != 0 && $owner_id != $uid) { $authenticated = PEAR::raiseError($lang['error_case_mixup_rejected_html']); $logger->warning(sprintf($lang['error_case_mixup_rejected_log'], $email, $address, $user_name, $uid, $owner_id));
function auth($user_name, $pwd, $email, $nt_domain) { global $dbh; global $auth_method; global $routing_domain; global $address_rewriting_type; $authenticated = false; $user_name = trim(stripslashes($user_name)); $email = trim($email); // Don't allow logins for domain-class pseudo-users if (!empty($user_name) && $user_name[0] == "@" || !empty($email) && $email[0] == "@") { return array(false, false); } $pwd = stripslashes($pwd); if ($auth_method == "pop3") { if (!empty($routing_domain)) { if (!empty($user_name) && !empty($pwd)) { $authenticated = auth_pop3($user_name, $pwd); $email = $user_name . "@" . $routing_domain; } } else { if (!empty($email) && !empty($pwd)) { $user_name = get_user_from_email($email); $authenticated = auth_pop3($user_name, $pwd); } } } elseif ($auth_method == "imap") { if (!empty($email) && !empty($pwd)) { $email = get_rewritten_email_address($email, $address_rewriting_type); if ($address_rewriting_type == 4) { $user_name = $email; } else { $user_name = get_user_from_email($email); } $authenticated = auth_imap($user_name, $pwd); } } elseif ($auth_method == "ldap") { if (!empty($user_name) && !empty($pwd)) { $email = auth_ldap($user_name, $pwd); $authenticated = !($email === false); } } elseif ($auth_method == "exchange") { if (!empty($user_name) && !empty($pwd)) { $authenticated = auth_exchange($user_name, $pwd, $nt_domain); // BROKEN! No idea what e-mail address to return here. } } elseif ($auth_method == "sql") { if (!empty($user_name) && !empty($pwd)) { $email = auth_sql($user_name, $pwd); if (PEAR::isError($email)) { $authenticated = false; } else { $authenticated = !($email === false); } } } elseif ($auth_method == "internal") { if (!empty($user_name) && !empty($pwd)) { $email = auth_internal($user_name, $pwd); $authenticated = !($email === false); } } elseif ($auth_method == "external") { if (!empty($user_name) && !empty($pwd)) { $authenticated = auth_external($user_name, $pwd); $email = $user_name; } } return array($authenticated, $email); }
if (isset($_POST["new_email"])) { $smarty->assign('new_email', 1); $new_email = trim($_POST["new_email"]); // Rewrite the e-mail address as necessary for POP3/IMAP, to make // it match the routing address provided by the MTA-RX. if ($auth_method == "pop3" && !empty($routing_domain)) { $username = get_user_from_email($new_email); $new_email = $username . "@" . $routing_domain; } elseif ($auth_method == "imap") { $new_email = get_rewritten_email_address($new_email, $address_rewriting_type); $username = get_user_from_email($new_email); } elseif ($auth_method == "internal") { $new_email = get_rewritten_email_address($new_email, $address_rewriting_type); $username = $new_email; } else { $username = get_user_from_email($new_email); } $bad_user = empty($username); $smarty->assign("bad_user", $bad_user); if (!$super && !$bad_user) { // Make sure the new address is in a domain that // this administrator controls. $domain = "@" . get_domain_from_email($new_email); $select = "SELECT id " . "FROM maia_domains, maia_domain_admins " . "WHERE maia_domains.id = maia_domain_admins.domain_id " . "AND maia_domain_admins.admin_id = ? " . "AND maia_domains.domain = ?"; $sth = $dbh->prepare($select); $res = $sth->execute(array($uid, $domain)); if (PEAR::isError($sth)) { die($sth->getMessage()); } $bad_domain = !$res->fetchrow(); $smarty->assign("bad_domain", $bad_domain);