function ok_to_impersonate($euid, $uid)
{
global $dbh;
// It's harmless to impersonate yourself ;)
if ($euid == $uid && $euid > 0 && $uid > 0) {
return true;
} else {
// Domain default users can be impersonated by admins
// responsible for those domains, and the superadmin.
// Only the superadmin can impersonate the system default
// user (@.).
if (is_a_domain_default_user($euid) || get_config_value("enable_privacy_invasion") == "Y") {
if (is_superadmin($uid)) {
return true;
} else {
if (is_a_domain_default_user($euid)) {
$domain_id = get_domain_id(get_user_name($euid));
return is_admin_for_domain($uid, $domain_id);
} else {
if (!is_superadmin($euid)) {
$sth = $dbh->prepare("SELECT email FROM users WHERE maia_user_id = ?");
$res = $sth->execute(array($euid));
if (PEAR::isError($sth)) {
die($sth->getMessage());
}
while ($row = $res->fetchRow()) {
$domain_id = get_domain_id("@" . get_domain_from_email($row["email"]));
if (is_admin_for_domain($uid, $domain_id)) {
$sth->free();
return true;
}
}
$sth->free();
return false;
} else {
return false;
}
}
}
// Impersonating other users is an invasion of privacy,
// even for administrators, unless explicitly overridden above.
} else {
return false;
}
}
}
exit;
}
$id = trim($_GET["id"]);
// Make sure this administrator has the right to impersonate
// this specific user.
$privilege = false;
if (is_a_domain_default_user($id)) {
$domain_id = get_domain_id(get_user_name($id));
$privilege = is_admin_for_domain($uid, $domain_id);
} else {
if (!is_superadmin($uid)) {
$select = "SELECT email FROM users WHERE maia_user_id = ?";
$sth = $dbh->query($select, array($id));
while (!$privilege && ($row = $sth->fetchRow())) {
$domain_id = get_domain_id("@" . get_domain_from_email($row["email"]));
$privilege = is_admin_for_domain($uid, $domain_id);
}
$sth->free();
} else {
// superadmin gets privs
$privilege = true;
}
}
if ($id < 1 || !$privilege) {
header("Location: admindex.php" . $sid);
exit;
}
// Assume the user's UID as our EUID
$_SESSION["euid"] = $id;
// Go to the main page as if the user we're impersonating
// had just logged in.
require_once "authcheck.php";
require_once "display.php";
require_once "maia_db.php";
$display_language = get_display_language($euid);
require_once "./locale/{$display_language}/display.php";
require_once "./locale/{$display_language}/db.php";
require_once "./locale/{$display_language}/domainsettings.php";
require_once "smarty.php";
// A domain ID value *must* be supplied.
if (isset($_GET["domain"])) {
$domain_id = trim($_GET["domain"]);
} else {
header("Location: admindomains.php" . $sid);
}
// Only administrators with rights to this domain should be here.
if (!is_admin_for_domain($uid, $domain_id)) {
header("Location: index.php" . $sid);
exit;
}
$select = "SELECT virus_lover, " . "spam_lover, " . "banned_files_lover, " . "bad_header_lover, " . "bypass_virus_checks, " . "bypass_spam_checks, " . "bypass_banned_checks, " . "bypass_header_checks, " . "discard_viruses, " . "discard_spam, " . "discard_banned_files, " . "discard_bad_headers, " . "spam_modifies_subj, " . "spam_tag_level, " . "spam_tag2_level, " . "spam_kill_level, " . "email, " . "policy_id " . "FROM users, policy " . "WHERE users.policy_id = policy.id " . "AND users.maia_domain_id = ?";
$system_default = false;
$sth = $dbh->query($select, array($domain_id));
if ($row = $sth->fetchRow()) {
$address = $row["email"];
if ($address == "@.") {
$smarty->assign('address', $lang['text_system_default'] . " (@.)");
$system_default = true;
} else {
$smarty->assign('address', $address);
}
$smarty->assign("system_default", $system_default);
$logger->err("xsettings.php: address_id not found.");
header("Location: index.php{$msid}");
exit;
}
$sth = $dbh->prepare("SELECT policy_id, email, maia_user_id FROM users\n WHERE users.maia_user_id = ? AND users.id = ?");
$res = $sth->execute(array($euid, $address_id));
if (PEAR::isError($sth)) {
die($sth->getMessage());
}
if ($res->numRows() == 0) {
$logger->err("xsettings.php: address_id doesn't belong to effective user: {$address_id}");
header("Location: logout.php");
exit;
}
$row = $res->fetchRow();
if (!(is_admin_for_domain($uid, get_domain_id("@" . get_domain_from_email($row["email"]))) || $super || $row["maia_user_id"] == $euid)) {
$logger->err("xsettings.php: failed security check.");
header("Location: logout.php");
exit;
}
$policy_id = $row['policy_id'];
$sth->free();
$sth = $dbh->prepare("SELECT virus_lover, " . "spam_lover, " . "banned_files_lover, " . "bad_header_lover, " . "bypass_virus_checks, " . "bypass_spam_checks, " . "bypass_banned_checks, " . "bypass_header_checks, " . "discard_viruses, " . "discard_spam, " . "discard_banned_files, " . "discard_bad_headers, " . "spam_modifies_subj, " . "spam_tag_level, " . "spam_tag2_level, " . "spam_kill_level " . "FROM policy WHERE id = ?");
$res = $sth->execute(array($policy_id));
if (PEAR::isError($sth)) {
die($sth->getMessage());
}
if ($row = $res->fetchRow()) {
$default_quarantine_viruses = $row["virus_lover"] == "N";
$default_quarantine_spam = $row["spam_lover"] == "N";
$default_quarantine_banned_files = $row["banned_files_lover"] == "N";
