From 0858fcbbf9ebbcdc85180ff8aec7581af39e9423 Mon Sep 17 00:00:00 2001
From: Chris <christian@haschek.at>
Date: Fri, 1 Dec 2023 23:28:10 +0100
Subject: [PATCH] added security checks on logs and account list

---
 web/inc/OpenTrashmailBackend.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/inc/OpenTrashmailBackend.class.php b/web/inc/OpenTrashmailBackend.class.php
index 51cdf11..6d80ce6 100644
--- a/web/inc/OpenTrashmailBackend.class.php
+++ b/web/inc/OpenTrashmailBackend.class.php
@@ -19,7 +19,7 @@ class OpenTrashmailBackend{
                 case 'read':
                     return $this->readMail($_REQUEST['email']?:$this->url[2],$_REQUEST['id']?:$this->url[3]);
                 case 'listaccounts':
-                    if($this->settings['SHOW_ACCOUNT_LIST'])
+                    if($this->settings['SHOW_ACCOUNT_LIST'] && (($this->settings['ADMIN_PASSWORD'] != "" && $_SESSION['admin'])|| !$this->settings['ADMIN_PASSWORD']))
                         return $this->listAccounts();
                     else return '403 Forbidden';
                 case 'raw-html':
@@ -36,7 +36,7 @@ class OpenTrashmailBackend{
                 case 'deleteaccount':
                     return $this->deleteAccount($_REQUEST['email']?:$this->url[2]);
                 case 'logs':
-                    if($this->settings['SHOW_LOGS'])
+                    if($this->settings['SHOW_LOGS'] && (($this->settings['ADMIN_PASSWORD'] != "" && $_SESSION['admin'])|| !$this->settings['ADMIN_PASSWORD']))
                         return $this->renderTemplate('logs.html',[
                             'lines' => (is_numeric($this->url[2])&&$this->url[2]>0)?$this->url[2]:100,
                             'mailserverlogfile'=>ROOT.DS.'../logs'.DS.'mailserver.log',