#5 add delete button with improved security

2016-12-19 22:07:16 +01:00 · 2016-12-19 22:07:16 +01:00 · 8bcdc397ea
commit 8bcdc397ea
parent a8f8748e06
3 changed files with 57 additions and 2 deletions
--- a/src/backend.php
+++ b/src/backend.php
@ -98,6 +98,35 @@ function delete_old_messages() {
    $mailbox->expungeDeletedMails();
 }

+/**
+ * deletes emails by id and username. The username must match the id.
+ *
+ * @param $mailid internal id (integer)
+ * @param $username the matching username
+ */
+function delete_mail($mailid, $username) {
+    global $mailbox, $config;
+
+    // in order to avoid https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
+    // the $username must match the $mailid.
+    $name = clean_name($username);
+    if (strlen($name) === 0) {
+        error(400, 'invalid username');
+    }
+    $address = get_address($name, $config['mailHostname']);
+    $mail_ids = search_mails($address, $mailbox);
+
+    if (in_array($mailid, $mail_ids)) {
+        $mailbox->deleteMail($mailid);
+        $mailbox->expungeDeletedMails();
+        print(json_encode(array("success" => true)));
+    } else {
+        error(404, 'delete error: invalid username/mailid combination');
+    }
+
+
+}
+

 header('Content-type: application/json');

@ -106,7 +135,10 @@ header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
 header("Cache-Control: post-check=0, pre-check=0", false);
 header("Pragma: no-cache");

-if (isset($_GET['username'])) {
+
+if (isset($_GET['username']) && isset($_GET['delete_email_id'])) {
+    delete_mail($_GET['delete_email_id'], $_GET['username']);
+} else if (isset($_GET['username'])) {
    print_inbox($_GET['username']);
 } else {
    error(400, 'invalid action');
--- a/src/client-libs/index.js
+++ b/src/client-libs/index.js
@ -112,6 +112,23 @@ app.controller('MailboxController', ["$scope", "$interval", "$http", "$log", fun
            });
    };

+    self.deleteMail = function (mailid) {
+        $http.get(backend_url, {params: {username: self.username, delete_email_id: mailid}})
+            .then(
+                function successCallback(response) {
+                    self.updateMails();
+                },
+                function errorCallback(response) {
+                    $log.error(response, this);
+                    self.error = {
+                        title: "HTTP_ERROR",
+                        desc: "There is a problem with deleting the mail. (HTTP_ERROR).",
+                        detail: response
+                    };
+                });
+
+    };
+
    // Initial load
    self.updateMails()
 }]);
--- a/src/index.html
+++ b/src/index.html
@ -72,7 +72,13 @@

                <section class="email">
                    <div class="row sticky-header" ec-stickyfill>
-                        <div class="col-sm-12 email-summary">{{mail.subject}}</div>
+                        <div class="col-sm-12 email-summary">{{mail.subject}}
+                            <form class="form-inline float-xs-right">
+                                <button ng-click="$ctrl.deleteMail(mail.id)" type="button"
+                                        class="btn btn-sm btn-outline-danger">Delete
+                                </button>
+                            </form>
+                        </div>
                    </div>

                    <div class="row">