#5 add delete button with improved security

synox · Dec 19, 2016 · 8bcdc39 · 8bcdc39
1 parent a8f8748
commit 8bcdc39
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 2 deletions.
diff --git a/src/backend.php b/src/backend.php
@@ -98,6 +98,35 @@ function delete_old_messages() {
     $mailbox->expungeDeletedMails();
 }
 
+/**
+ * deletes emails by id and username. The username must match the id.
+ *
+ * @param $mailid internal id (integer)
+ * @param $username the matching username
+ */
+function delete_mail($mailid, $username) {
+    global $mailbox, $config;
+
+    // in order to avoid https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
+    // the $username must match the $mailid.
+    $name = clean_name($username);
+    if (strlen($name) === 0) {
+        error(400, 'invalid username');
+    }
+    $address = get_address($name, $config['mailHostname']);
+    $mail_ids = search_mails($address, $mailbox);
+
+    if (in_array($mailid, $mail_ids)) {
+        $mailbox->deleteMail($mailid);
+        $mailbox->expungeDeletedMails();
+        print(json_encode(array("success" => true)));
+    } else {
+        error(404, 'delete error: invalid username/mailid combination');
+    }
+
+
+}
+
 
 header('Content-type: application/json');
 
@@ -106,7 +135,10 @@ function delete_old_messages() {
 header("Cache-Control: post-check=0, pre-check=0", false);
 header("Pragma: no-cache");
 
-if (isset($_GET['username'])) {
+
+if (isset($_GET['username']) && isset($_GET['delete_email_id'])) {
+    delete_mail($_GET['delete_email_id'], $_GET['username']);
+} else if (isset($_GET['username'])) {
     print_inbox($_GET['username']);
 } else {
     error(400, 'invalid action');

diff --git a/src/client-libs/index.js b/src/client-libs/index.js
@@ -112,6 +112,23 @@ app.controller('MailboxController', ["$scope", "$interval", "$http", "$log", fun
             });
     };
 
+    self.deleteMail = function (mailid) {
+        $http.get(backend_url, {params: {username: self.username, delete_email_id: mailid}})
+            .then(
+                function successCallback(response) {
+                    self.updateMails();
+                },
+                function errorCallback(response) {
+                    $log.error(response, this);
+                    self.error = {
+                        title: "HTTP_ERROR",
+                        desc: "There is a problem with deleting the mail. (HTTP_ERROR).",
+                        detail: response
+                    };
+                });
+
+    };
+
     // Initial load
     self.updateMails()
 }]);
diff --git a/src/index.html b/src/index.html
@@ -72,7 +72,13 @@
 
                 <section class="email">
                     <div class="row sticky-header" ec-stickyfill>
-                        <div class="col-sm-12 email-summary">{{mail.subject}}</div>
+                        <div class="col-sm-12 email-summary">{{mail.subject}}
+                            <form class="form-inline float-xs-right">
+                                <button ng-click="$ctrl.deleteMail(mail.id)" type="button"
+                                        class="btn btn-sm btn-outline-danger">Delete
+                                </button>
+                            </form>
+                        </div>
                     </div>
 
                     <div class="row">