From: Michael Rasmussen <mir@datanom.net>
Date: Thu, 11 Jun 2015 16:01:33 +0000 (+0200)
Subject: Enhance security
X-Git-Url: http://git.datanom.net/qtadmin.git/commitdiff_plain/3039de292a8f75426d4b2c0ea70a00b75bda5b02

Enhance security
---

diff --git a/lib/utils.inc.php b/lib/utils.inc.php
index 9c6be9b..0b9fe70 100644
--- a/lib/utils.inc.php
+++ b/lib/utils.inc.php
@@ -25,7 +25,7 @@ class Utils {
 <body><div id="container">';
     private $footer = '</div><div id="footer"><p>Powered by <a href="https://qtadmin.datanom.net"
             title="Goto QtAdmin homepage">QtAdmin</a>. &copy; 2015 by Michael Rasmussen</p>
-	</div></body></html>';
+    </div></body></html>';
     private $heading = '<p id="time" class="time">Session timeout:
             <span id="timer"></span></p><h1 class="h1">__TITLE__</h1>';
 
@@ -314,6 +314,16 @@ class Utils {
         return $user;
     }
 
+    public function authorized($recipient) {
+        $authorized = false;
+
+        if ($this->isAdmin() || $this->getUser() == $recipient) {
+            $authorized = true;
+        }
+
+        return $authorized;
+    }
+
     public function getHeader() {
         $this->log("getHeader", 4);
 
diff --git a/mail_report.php b/mail_report.php
index 21e8264..60405f7 100644
--- a/mail_report.php
+++ b/mail_report.php
@@ -8,13 +8,18 @@
     $util = new Utils;
     $loggedIn = $util->isLoggedIn();
     if ($loggedIn && isset($_GET['id'])) {
+        $id = $_GET['id'];
+        $mail = unserialize($_SESSION['mailInfo'][$id]);
+
+        if (false == $util->authorized($mail->recipient)) {
+            header('Location: index.php');
+            exit;
+        }
+
         $util->setHeading('Spam Report');
         echo $util->getHeader();
         echo $util->getHeading();
 
-        $id = $_GET['id'];
-        $mail = unserialize($_SESSION['mailInfo'][$id]);
-
         $row = $DB->getMail($id);
         $string = $row->mail_text;
         $sa_tests = null;