#5 add delete button with improved security
This commit is contained in:
Synox
parent
a8f8748e06
commit
8bcdc397ea
|
|
@ -98,6 +98,35 @@ function delete_old_messages() {
|
||||||
$mailbox->expungeDeletedMails();
|
$mailbox->expungeDeletedMails();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* deletes emails by id and username. The username must match the id.
|
||||||
|
*
|
||||||
|
* @param $mailid internal id (integer)
|
||||||
|
* @param $username the matching username
|
||||||
|
*/
|
||||||
|
function delete_mail($mailid, $username) {
|
||||||
|
global $mailbox, $config;
|
||||||
|
|
||||||
|
// in order to avoid https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
|
||||||
|
// the $username must match the $mailid.
|
||||||
|
$name = clean_name($username);
|
||||||
|
if (strlen($name) === 0) {
|
||||||
|
error(400, 'invalid username');
|
||||||
|
}
|
||||||
|
$address = get_address($name, $config['mailHostname']);
|
||||||
|
$mail_ids = search_mails($address, $mailbox);
|
||||||
|
|
||||||
|
if (in_array($mailid, $mail_ids)) {
|
||||||
|
$mailbox->deleteMail($mailid);
|
||||||
|
$mailbox->expungeDeletedMails();
|
||||||
|
print(json_encode(array("success" => true)));
|
||||||
|
} else {
|
||||||
|
error(404, 'delete error: invalid username/mailid combination');
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
header('Content-type: application/json');
|
header('Content-type: application/json');
|
||||||
|
|
||||||
|
|
@ -106,7 +135,10 @@ header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
|
||||||
header("Cache-Control: post-check=0, pre-check=0", false);
|
header("Cache-Control: post-check=0, pre-check=0", false);
|
||||||
header("Pragma: no-cache");
|
header("Pragma: no-cache");
|
||||||
|
|
||||||
if (isset($_GET['username'])) {
|
|
||||||
|
if (isset($_GET['username']) && isset($_GET['delete_email_id'])) {
|
||||||
|
delete_mail($_GET['delete_email_id'], $_GET['username']);
|
||||||
|
} else if (isset($_GET['username'])) {
|
||||||
print_inbox($_GET['username']);
|
print_inbox($_GET['username']);
|
||||||
} else {
|
} else {
|
||||||
error(400, 'invalid action');
|
error(400, 'invalid action');
|
||||||
|
|
|
||||||
|
|
@ -112,6 +112,23 @@ app.controller('MailboxController', ["$scope", "$interval", "$http", "$log", fun
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
self.deleteMail = function (mailid) {
|
||||||
|
$http.get(backend_url, {params: {username: self.username, delete_email_id: mailid}})
|
||||||
|
.then(
|
||||||
|
function successCallback(response) {
|
||||||
|
self.updateMails();
|
||||||
|
},
|
||||||
|
function errorCallback(response) {
|
||||||
|
$log.error(response, this);
|
||||||
|
self.error = {
|
||||||
|
title: "HTTP_ERROR",
|
||||||
|
desc: "There is a problem with deleting the mail. (HTTP_ERROR).",
|
||||||
|
detail: response
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
// Initial load
|
// Initial load
|
||||||
self.updateMails()
|
self.updateMails()
|
||||||
}]);
|
}]);
|
||||||
|
|
|
||||||
|
|
@ -72,7 +72,13 @@
|
||||||
|
|
||||||
<section class="email">
|
<section class="email">
|
||||||
<div class="row sticky-header" ec-stickyfill>
|
<div class="row sticky-header" ec-stickyfill>
|
||||||
<div class="col-sm-12 email-summary">{{mail.subject}}</div>
|
<div class="col-sm-12 email-summary">{{mail.subject}}
|
||||||
|
<form class="form-inline float-xs-right">
|
||||||
|
<button ng-click="$ctrl.deleteMail(mail.id)" type="button"
|
||||||
|
class="btn btn-sm btn-outline-danger">Delete
|
||||||
|
</button>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="row">
|
<div class="row">
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user