From 8a65b9d1c6549cd451a3d145461ee465bf87c1e8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Thu, 19 Mar 2026 12:41:47 +0100
Subject: [PATCH] add missing access control

---
 data/web/inc/functions.fwdhost.inc.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/data/web/inc/functions.fwdhost.inc.php b/data/web/inc/functions.fwdhost.inc.php
index d7ac2567c..52c751591 100644
--- a/data/web/inc/functions.fwdhost.inc.php
+++ b/data/web/inc/functions.fwdhost.inc.php
@@ -108,6 +108,14 @@ function fwdhost($_action, $_data = null) {
       }
     break;
     case 'delete':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
       $hosts = (array)$_data['forwardinghost'];
       foreach ($hosts as $host) {
         try {