summaryrefslogtreecommitdiff
path: root/program/steps/settings/identities.inc
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-07-05 12:33:03 +0200
committerAleksander Machniak <alec@alec.pl>2014-07-05 12:33:03 +0200
commitca01e25772730cab0117bca0e514140e6c5f67d1 (patch)
tree50514c9738e96d42d8e5bbb1962bbb0169330eaa /program/steps/settings/identities.inc
parent36d004e3d0ad9ff97b66b2e505f6b17fd6d23102 (diff)
Fix security issue in delete-response action - allow only ajax request.
Unify code for identities and responses deletion.
Diffstat (limited to 'program/steps/settings/identities.inc')
-rw-r--r--program/steps/settings/identities.inc22
1 files changed, 22 insertions, 0 deletions
diff --git a/program/steps/settings/identities.inc b/program/steps/settings/identities.inc
index e19c16c79..f43edc1f7 100644
--- a/program/steps/settings/identities.inc
+++ b/program/steps/settings/identities.inc
@@ -19,6 +19,28 @@
+-----------------------------------------------------------------------+
*/
+if ($RCMAIL->action == 'delete-identity' && $OUTPUT->ajax_call) {
+ $iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_POST);
+
+ if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) {
+ $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid));
+
+ $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result'];
+
+ if ($deleted > 0 && $deleted !== false) {
+ $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
+ $OUTPUT->command('remove_identity', $iid);
+ }
+ else {
+ $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving');
+ $OUTPUT->show_message($msg, 'error', null, false);
+ }
+ }
+
+ $OUTPUT->send();
+}
+
+
define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0)));
$OUTPUT->set_pagetitle($RCMAIL->gettext('identities'));
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 05:31:26 +0000