From ecb848493b0bd5ee79528bf8643239d120574438 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Thu, 19 Mar 2026 12:42:45 +0100
Subject: [PATCH] add missing object-level access control

---
 data/web/inc/functions.mailbox.inc.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 9506bbf1f..496421634 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -2062,6 +2062,14 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             return false;
           }
           foreach ($usernames as $username) {
+            if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $username)) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => 'access_denied'
+              );
+              continue;
+            }
             if ($_data['spam_score'] == "default") {
               $stmt = $pdo->prepare("DELETE FROM `filterconf` WHERE `object` = :username
                 AND (`option` = 'lowspamlevel' OR `option` = 'highspamlevel')");