added security checks on logs and account list

2023-12-01 23:28:10 +01:00 · 2023-12-01 23:28:10 +01:00 · 0858fcbbf9
parent 4c603a2fc4
commit 0858fcbbf9
1 changed files with 2 additions and 2 deletions
--- a/web/inc/OpenTrashmailBackend.class.php
+++ b/web/inc/OpenTrashmailBackend.class.php
@ -19,7 +19,7 @@ class OpenTrashmailBackend{
                case 'read':
                    return $this->readMail($_REQUEST['email']?:$this->url[2],$_REQUEST['id']?:$this->url[3]);
                case 'listaccounts':
-                    if($this->settings['SHOW_ACCOUNT_LIST'])
+                    if($this->settings['SHOW_ACCOUNT_LIST'] && (($this->settings['ADMIN_PASSWORD'] != "" && $_SESSION['admin'])|| !$this->settings['ADMIN_PASSWORD']))
                        return $this->listAccounts();
                    else return '403 Forbidden';
                case 'raw-html':
@ -36,7 +36,7 @@ class OpenTrashmailBackend{
                case 'deleteaccount':
                    return $this->deleteAccount($_REQUEST['email']?:$this->url[2]);
                case 'logs':
-                    if($this->settings['SHOW_LOGS'])
+                    if($this->settings['SHOW_LOGS'] && (($this->settings['ADMIN_PASSWORD'] != "" && $_SESSION['admin'])|| !$this->settings['ADMIN_PASSWORD']))
                        return $this->renderTemplate('logs.html',[
                            'lines' => (is_numeric($this->url[2])&&$this->url[2]>0)?$this->url[2]:100,
                            'mailserverlogfile'=>ROOT.DS.'../logs'.DS.'mailserver.log',