add missing access control

2026-03-30 18:32:44 +00:00 · 2026-03-19 12:41:47 +01:00
parent ed9264fd2a
commit 8a65b9d1c6
1 changed files with 8 additions and 0 deletions
--- a/data/web/inc/functions.fwdhost.inc.php
+++ b/data/web/inc/functions.fwdhost.inc.php
@@ -108,6 +108,14 @@ function fwdhost($_action, $_data = null) {
      }
    break;
    case 'delete':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
      $hosts = (array)$_data['forwardinghost'];
      foreach ($hosts as $host) {
        try {