From 5fce1fb288e01140379f67c57648675ac0cbc5b7 Mon Sep 17 00:00:00 2001 From: jedi Date: Thu, 28 Oct 2021 00:29:17 +0200 Subject: [PATCH] don't leak information about other users aliases and mailboxes --- backend/multimail/forms.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/backend/multimail/forms.py b/backend/multimail/forms.py index d51fbcf..b86efd0 100644 --- a/backend/multimail/forms.py +++ b/backend/multimail/forms.py @@ -109,6 +109,10 @@ def edit_mailbox(request, mailbox_id): if form.is_valid() and form.cleaned_data['domain'] in domains: form.save() return HttpResponseRedirect('/mailboxes/') + else: + if not form.cleaned_data['domain'] in domains: + form.errors.clear() + form.add_error(None, "You don't own this domain") except IntegrityError as e: form.add_error(None, e) @@ -129,6 +133,10 @@ def new_mailbox(request): if form.is_valid() and form.cleaned_data['domain'] in domains: form.save() return HttpResponseRedirect('/mailboxes/') + else: + if not form.cleaned_data['domain'] in domains: + form.errors.clear() + form.add_error(None, "You don't own this domain") except IntegrityError as e: form.add_error(None, e) @@ -153,6 +161,10 @@ def edit_alias(request, alias_id): if form.is_valid() and form.cleaned_data['source_domain'] in domains: form.save() return HttpResponseRedirect('/aliases/') + else: + if not form.cleaned_data['source_domain'] in domains: + form.errors.clear() + form.add_error(None, "You don't own this domain") except IntegrityError as e: form.add_error(None, e) @@ -173,6 +185,10 @@ def new_alias(request): if form.is_valid() and form.cleaned_data['source_domain'] in domains: form.save() return HttpResponseRedirect('/aliases/') + else: + if not form.cleaned_data['source_domain'] in domains: + form.errors.clear() + form.add_error(None, "You don't own this domain") except IntegrityError as e: form.add_error(None, e)