securify fix: CP-29: Manage Website – SMTP Hosts – Verify

Author: usmannasir

emailMarketing/emailMarketingManager.py

@@ -599,6 +599,7 @@ def smtpHostOperations(self):
 
             userID = self.request.session['userID']
             admin = Administrator.objects.get(pk=userID)
+            currentACL = ACLManager.loadedACL(userID)
 
             if emACL.checkIfEMEnabled(admin.userName) == 0:
                 return ACLManager.loadErrorJson()
@@ -610,6 +611,10 @@ def smtpHostOperations(self):
 
             if operation == 'delete':
                 delHost = SMTPHosts.objects.get(id=id)
+
+                if ACLManager.VerifySMTPHost(currentACL, delHost.owner, admin) == 0:
+                    return ACLManager.loadErrorJson()
+
                 currentACL = ACLManager.loadedACL(userID)
                 if currentACL['admin'] == 1:
                     pass
@@ -622,6 +627,10 @@ def smtpHostOperations(self):
             else:
                 try:
                     verifyHost = SMTPHosts.objects.get(id=id)
+
+                    if ACLManager.VerifySMTPHost(currentACL, verifyHost.owner, admin) == 0:
+                        return ACLManager.loadErrorJson()
+
                     verifyLogin = smtplib.SMTP(str(verifyHost.host), int(verifyHost.port))
 
                     if int(verifyHost.port) == 587:

plogical/acl.py

@@ -43,6 +43,16 @@ class ACLManager:
               '"dkimManager": 1, "createFTPAccount": 1, "deleteFTPAccount": 1, "listFTPAccounts": 1, "createBackup": 1,' \
               ' "restoreBackup": 0, "addDeleteDestinations": 0, "scheduleBackups": 0, "remoteBackups": 0, "googleDriveBackups": 1, "manageSSL": 1, ' \
               '"hostnameSSL": 0, "mailServerSSL": 0 }'
+
+    @staticmethod
+    def VerifySMTPHost(currentACL, owner, user):
+        if currentACL['admin'] == 1:
+            return 1
+        elif owner == user:
+            return 1
+        else:
+            return 0
+
     @staticmethod
     def FindIfChild():
         try: