From ced34cb15e095836767971aa4d27b141fb1d7ec9 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 18 Oct 2014 08:47:54 -0400
Subject: [PATCH] Merge pull request #230 from bytesatwork-xx/master

---
 index.php |   27 ++++++++++++++++++---------
 1 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/index.php b/index.php
index ae5df40..5ca2af6 100644
--- a/index.php
+++ b/index.php
@@ -147,7 +147,7 @@
             $error_code = RCMAIL::ERROR_INVALID_REQUEST;
         }
         else {
-            $error_code = $auth['error'] ? $auth['error'] : $RCMAIL->login_error();
+            $error_code = is_numeric($auth['error']) ? $auth['error'] : $RCMAIL->login_error();
         }
 
         $error_labels = array(
@@ -157,7 +157,7 @@
             RCMAIL::ERROR_INVALID_HOST     => 'invalidhost',
         );
 
-        $error_message = $error_labels[$error_code] ? $error_labels[$error_code] : 'loginfailed';
+        $error_message = !empty($auth['error']) && !is_numeric($auth['error']) ? $auth['error'] : ($error_labels[$error_code] ?: 'loginfailed');
 
         $OUTPUT->show_message($error_message, 'warning');
 
@@ -189,7 +189,7 @@
 }
 
 // check session and auth cookie
-else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
+else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) {
     if (!$RCMAIL->session->check_auth()) {
         $RCMAIL->kill_session();
         $session_error = true;
@@ -212,7 +212,7 @@
         $OUTPUT->show_message('sessionerror', 'error', null, true, -1);
     }
 
-    if ($OUTPUT->ajax_call || $OUTPUT->framed) {
+    if ($OUTPUT->ajax_call || $OUTPUT->get_env('framed')) {
         $OUTPUT->command('session_error', $RCMAIL->url(array('_err' => 'session')));
         $OUTPUT->send('iframe');
     }
@@ -260,6 +260,14 @@
                 'message' => "Referer check failed"), true, true);
         }
     }
+
+    // check access to disabled actions
+    $disabled_actions = (array) $RCMAIL->config->get('disabled_actions');
+    if (in_array($RCMAIL->task . '.' . ($RCMAIL->action ?: 'index'), $disabled_actions)) {
+        rcube::raise_error(array(
+            'code' => 403, 'type' => 'php',
+            'message' => "Action disabled"), true, true);
+    }
 }
 
 // we're ready, user is authenticated and the request is safe
@@ -287,13 +295,14 @@
 $redirects = 0; $incstep = null;
 while ($redirects < 5) {
     // execute a plugin action
-    if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
-        if (!$RCMAIL->action) $RCMAIL->action = 'index';
-        $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
+    if (preg_match('/^plugin\./', $RCMAIL->action)) {
+        $RCMAIL->plugins->exec_action($RCMAIL->action);
         break;
     }
-    else if (preg_match('/^plugin\./', $RCMAIL->action)) {
-        $RCMAIL->plugins->exec_action($RCMAIL->action);
+    // execute action registered to a plugin task
+    else if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
+        if (!$RCMAIL->action) $RCMAIL->action = 'index';
+        $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
         break;
     }
     // try to include the step file

--
Gitblit v1.9.1