diff options
author | Aleksander Machniak <alec@alec.pl> | 2014-07-05 12:33:03 +0200 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2014-07-05 12:48:55 +0200 |
commit | 7152d0fdefc0cb60b26c928342436604479dc610 (patch) | |
tree | bf01d0c838505dc284b984d8fdbe8fddaca67203 /program/steps/settings/identities.inc | |
parent | c627d3bb02a41716af17dff5eca8d7df30297414 (diff) |
Fix security issue in delete-response action - allow only ajax request.
Unify code for identities and responses deletion.
Conflicts:
program/steps/settings/func.inc
Diffstat (limited to 'program/steps/settings/identities.inc')
-rw-r--r-- | program/steps/settings/identities.inc | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/program/steps/settings/identities.inc b/program/steps/settings/identities.inc index e19c16c79..f43edc1f7 100644 --- a/program/steps/settings/identities.inc +++ b/program/steps/settings/identities.inc @@ -19,6 +19,28 @@ +-----------------------------------------------------------------------+ */ +if ($RCMAIL->action == 'delete-identity' && $OUTPUT->ajax_call) { + $iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_POST); + + if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) { + $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid)); + + $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result']; + + if ($deleted > 0 && $deleted !== false) { + $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false); + $OUTPUT->command('remove_identity', $iid); + } + else { + $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving'); + $OUTPUT->show_message($msg, 'error', null, false); + } + } + + $OUTPUT->send(); +} + + define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0))); $OUTPUT->set_pagetitle($RCMAIL->gettext('identities')); |