Missing validation for forward creation?

[davidebeatrici]

I accidentally created a few forwards without specifying the domain, resulting in the following:

I'm unable to edit 3 out of 4 entries. Crafting the edit link and submitting changes:

If I log in as superadmin I'm able to edit all forwards.

Please note that the domain omission doesn't seem to be the cause because after adding it as superuser I'm still unable to edit the forward from the "normal" admin account.

[DavidGoodwin]

I wouldn't expect the domain omission to be the problem.

[DavidGoodwin]

the code implies your user doesn't have permission to edit the alias; does it have permission to modify the domain in question?

[DavidGoodwin]

https://github.com/postfixadmin/postfixadmin/blob/master/model/PFAHandler.php#L432

[davidebeatrici]

Yes, I created the forwards while logged in as the user that is unable to edit them.

postfixadmin/config.inc.php

Lines 263 to 273 in 5207253

	// Default Aliases
	// The default aliases that need to be created for all domains.
	// You can specify the target address in two ways:
	// a) a full mail address
	// b) only a localpart ('postmaster' => 'admin') - the alias target will point to the same domain
	$CONF['default_aliases'] = array (
	'abuse' => '[email protected]',
	'hostmaster' => '[email protected]',
	'postmaster' => '[email protected]',
	'webmaster' => '[email protected]'
	);

I think this is what causes the issue, as I created [email protected] and it exhibits the same behavior.

[DavidGoodwin]

as a user, if i try to add a non-fully-qualified foward, i see

[DavidGoodwin]

when I login as an admin for a specific domain (in my case, just 'example.com' - so NOT a superadmin) - I see the same - where I can't edit e.g default aliases that were added when the domain was created.

[DavidGoodwin]

[DavidGoodwin]

So at least for me, if i'm not a super-admin and the alias target is one of the ones defined in `special_aliases' ( https://github.com/postfixadmin/postfixadmin/blob/master/config.inc.php#L268 ) then edit permission is removed.

[DavidGoodwin]

the code that's turning off editability is here -

postfixadmin/model/AliasHandler.php

Line 346 in 52ed517

if (!$this->is_superadmin && !Config::bool('special_alias_control') && array_key_exists($tmp[0], Config::read_array('default_aliases'))) {

[davidebeatrici]

as a user, if i try to add a non-fully-qualified foward, i see

Looks like a different page compared to the admin one. Is perhaps address validation only implemented for the user one?

So at least for me, if i'm not a super-admin and the alias target is one of the ones defined in `special_aliases' ( master/config.inc.php#L268 ) then edit permission is removed.

I unchecked the option to automatically create default aliases when I added the domain as superadmin.

As default aliases are only supposed to be modifiable by a superadmin (unless special_alias_control is enabled), I would expect domain admins not to be able to create them in the first place.