Browse code

Löschen fremder Mailaccounts war bisher möglich

Bernd Wurst authored on18/04/2013 06:35:48
Showing1 changed files
... ...
@@ -38,7 +38,8 @@ function mailaccounts($uid)
38 38
 function get_mailaccount($id)
39 39
 {
40 40
   $id = (int) $id;
41
-  $result = db_query("SELECT concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.id=$id");
41
+  $uid = (int) $_SESSION['userinfo']['uid'];
42
+  $result = db_query("SELECT concat_ws('@',`m`.`local`,if(isnull(`m`.`domain`),'".config('masterdomain')."',`d`.`domainname`)) AS `account`, `m`.`password` AS `cryptpass`,`m`.`maildir` AS `maildir`,aktiv from (`mail`.`mailaccounts` `m` left join `mail`.`v_domains` `d` on((`d`.`id` = `m`.`domain`))) WHERE m.id=$id AND m.uid={$uid}");
42 43
   DEBUG("Found ".mysql_num_rows($result)." rows!");
43 44
   if (mysql_num_rows($result) != 1)
44 45
     system_failure('Dieser Mailaccount existiert nicht oder gehört Ihnen nicht');
... ...
@@ -51,6 +52,7 @@ function get_mailaccount($id)
51 52
 function change_mailaccount($id, $arr)
52 53
 {
53 54
   $id = (int) $id;
55
+  $uid = (int) $_SESSION['userinfo']['uid'];
54 56
   $conditions = array();
55 57
 
56 58
   if (isset($arr['account']))
... ...
@@ -89,7 +91,7 @@ function change_mailaccount($id, $arr)
89 91
     array_push($conditions, "`aktiv`=".($arr['enabled'] == 'Y' ? "1" : "0"));
90 92
 
91 93
 
92
-  db_query("UPDATE mail.mailaccounts SET ".implode(",", $conditions)." WHERE id='$id' LIMIT 1");
94
+  db_query("UPDATE mail.mailaccounts SET ".implode(",", $conditions)." WHERE id='$id' AND uid={$uid}");
93 95
   logger(LOG_INFO, "modules/imap/include/mailaccounts", "imap", "updated account »{$arr['account']}«");
94 96
 
95 97
 }