From b9342a905a8a2336ab5e68045446686efbee866c Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Mon, 30 Aug 2021 12:51:18 +0500
Subject: [PATCH] =?UTF-8?q?securify=20fix:=20CP-29:=20Manage=20Website=20?=
 =?UTF-8?q?=E2=80=93=20SMTP=20Hosts=20=E2=80=93=20Verify?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 emailMarketing/emailMarketingManager.py |  9 +++++++++
 plogical/acl.py                         | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/emailMarketing/emailMarketingManager.py b/emailMarketing/emailMarketingManager.py
index beb4bef6c..e1adc45e4 100755
--- a/emailMarketing/emailMarketingManager.py
+++ b/emailMarketing/emailMarketingManager.py
@@ -599,6 +599,7 @@ class EmailMarketingManager:
 
             userID = self.request.session['userID']
             admin = Administrator.objects.get(pk=userID)
+            currentACL = ACLManager.loadedACL(userID)
 
             if emACL.checkIfEMEnabled(admin.userName) == 0:
                 return ACLManager.loadErrorJson()
@@ -610,6 +611,10 @@ class EmailMarketingManager:
 
             if operation == 'delete':
                 delHost = SMTPHosts.objects.get(id=id)
+
+                if ACLManager.VerifySMTPHost(currentACL, delHost.owner, admin) == 0:
+                    return ACLManager.loadErrorJson()
+
                 currentACL = ACLManager.loadedACL(userID)
                 if currentACL['admin'] == 1:
                     pass
@@ -622,6 +627,10 @@ class EmailMarketingManager:
             else:
                 try:
                     verifyHost = SMTPHosts.objects.get(id=id)
+
+                    if ACLManager.VerifySMTPHost(currentACL, verifyHost.owner, admin) == 0:
+                        return ACLManager.loadErrorJson()
+
                     verifyLogin = smtplib.SMTP(str(verifyHost.host), int(verifyHost.port))
 
                     if int(verifyHost.port) == 587:
diff --git a/plogical/acl.py b/plogical/acl.py
index 9928e4102..23192356f 100644
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -43,6 +43,16 @@ class ACLManager:
               '"dkimManager": 1, "createFTPAccount": 1, "deleteFTPAccount": 1, "listFTPAccounts": 1, "createBackup": 1,' \
               ' "restoreBackup": 0, "addDeleteDestinations": 0, "scheduleBackups": 0, "remoteBackups": 0, "googleDriveBackups": 1, "manageSSL": 1, ' \
               '"hostnameSSL": 0, "mailServerSSL": 0 }'
+
+    @staticmethod
+    def VerifySMTPHost(currentACL, owner, user):
+        if currentACL['admin'] == 1:
+            return 1
+        elif owner == user:
+            return 1
+        else:
+            return 0
+
     @staticmethod
     def FindIfChild():
         try: