diff options
| author | Cyrill von Wattenwyl <cvw@adfinis.com> | 2014-09-02 11:20:52 +0200 |
|---|---|---|
| committer | Cyrill von Wattenwyl <cvw@adfinis.com> | 2014-09-02 11:20:52 +0200 |
| commit | 11a40dd1fef6c5b78b054617caba4325f95ee386 (patch) | |
| tree | de2e1d7efd6423ef4d1256dd5c90a972ad172719 /index.php | |
| parent | 187fd666aa2f32dedfe544d69b7cb213698197f2 (diff) | |
| parent | ba084313bfc9c7a5a83e0611fe4376543cc1653d (diff) | |
Merge branch 'master' of https://github.com/roundcube/roundcubemail
Conflicts:
plugins/password/config.inc.php.dist
Diffstat (limited to 'index.php')
| -rw-r--r-- | index.php | 24 |
1 files changed, 17 insertions, 7 deletions
@@ -44,6 +44,7 @@ $RCMAIL = rcmail::get_instance($GLOBALS['env']); // Make the whole PHP output non-cacheable (#1487797) $RCMAIL->output->nocacheing_headers(); +$RCMAIL->output->common_headers(); // turn on output buffering ob_start(); @@ -188,7 +189,7 @@ else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) } // check session and auth cookie -else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') { +else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) { if (!$RCMAIL->session->check_auth()) { $RCMAIL->kill_session(); $session_error = true; @@ -211,7 +212,7 @@ if (empty($RCMAIL->user->ID)) { $OUTPUT->show_message('sessionerror', 'error', null, true, -1); } - if ($OUTPUT->ajax_call || !empty($_REQUEST['_framed'])) { + if ($OUTPUT->ajax_call || $OUTPUT->get_env('framed')) { $OUTPUT->command('session_error', $RCMAIL->url(array('_err' => 'session'))); $OUTPUT->send('iframe'); } @@ -259,6 +260,14 @@ else { 'message' => "Referer check failed"), true, true); } } + + // check access to disabled actions + $disabled_actions = (array) $RCMAIL->config->get('disabled_actions'); + if (in_array($RCMAIL->task . '.' . ($RCMAIL->action ?: 'index'), $disabled_actions)) { + rcube::raise_error(array( + 'code' => 403, 'type' => 'php', + 'message' => "Action disabled"), true, true); + } } // we're ready, user is authenticated and the request is safe @@ -286,13 +295,14 @@ if (is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/func.inc' $redirects = 0; $incstep = null; while ($redirects < 5) { // execute a plugin action - if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) { - if (!$RCMAIL->action) $RCMAIL->action = 'index'; - $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action); + if (preg_match('/^plugin\./', $RCMAIL->action)) { + $RCMAIL->plugins->exec_action($RCMAIL->action); break; } - else if (preg_match('/^plugin\./', $RCMAIL->action)) { - $RCMAIL->plugins->exec_action($RCMAIL->action); + // execute action registered to a plugin task + else if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) { + if (!$RCMAIL->action) $RCMAIL->action = 'index'; + $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action); break; } // try to include the step file |