summaryrefslogtreecommitdiff
path: root/program/steps/settings/identities.inc
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-07-05 12:33:03 +0200
committerAleksander Machniak <alec@alec.pl>2014-07-05 12:48:55 +0200
commit7152d0fdefc0cb60b26c928342436604479dc610 (patch)
treebf01d0c838505dc284b984d8fdbe8fddaca67203 /program/steps/settings/identities.inc
parentc627d3bb02a41716af17dff5eca8d7df30297414 (diff)
Fix security issue in delete-response action - allow only ajax request.
Unify code for identities and responses deletion. Conflicts: program/steps/settings/func.inc
Diffstat (limited to 'program/steps/settings/identities.inc')
-rw-r--r--program/steps/settings/identities.inc22
1 files changed, 22 insertions, 0 deletions
diff --git a/program/steps/settings/identities.inc b/program/steps/settings/identities.inc
index e19c16c79..f43edc1f7 100644
--- a/program/steps/settings/identities.inc
+++ b/program/steps/settings/identities.inc
@@ -19,6 +19,28 @@
+-----------------------------------------------------------------------+
*/
+if ($RCMAIL->action == 'delete-identity' && $OUTPUT->ajax_call) {
+ $iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_POST);
+
+ if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) {
+ $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid));
+
+ $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result'];
+
+ if ($deleted > 0 && $deleted !== false) {
+ $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
+ $OUTPUT->command('remove_identity', $iid);
+ }
+ else {
+ $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving');
+ $OUTPUT->show_message($msg, 'error', null, false);
+ }
+ }
+
+ $OUTPUT->send();
+}
+
+
define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0)));
$OUTPUT->set_pagetitle($RCMAIL->gettext('identities'));