[Web] prevent multiple dual-logins

mailcow · Mar 8, 2024 · e0bda6c · e0bda6c
1 parent 2ba64e9
commit e0bda6c
Showing 1 changed file with 19 additions and 16 deletions.
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
@@ -121,23 +121,26 @@
 
 if (isset($_SESSION['mailcow_cc_role']) && (isset($_SESSION['acl']['login_as']) && $_SESSION['acl']['login_as'] == "1")) {
 	if (isset($_GET["duallogin"])) {
-    $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
-    if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
-      if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
-        $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-        $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-        $_SESSION['mailcow_cc_username']    = $duallogin;
-        $_SESSION['mailcow_cc_role']        = "user";
-        header("Location: /user");
+    $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
+    if (!$is_dual) {
+      $duallogin = html_entity_decode(rawurldecode($_GET["duallogin"]));
+      if (filter_var($duallogin, FILTER_VALIDATE_EMAIL)) {
+        if (!empty(mailbox('get', 'mailbox_details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "user";
+          header("Location: /user");
+        }
       }
-    }
-    else {
-      if (!empty(domain_admin('details', $duallogin))) {
-        $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
-        $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
-        $_SESSION['mailcow_cc_username']    = $duallogin;
-        $_SESSION['mailcow_cc_role']        = "domainadmin";
-        header("Location: /user");
+      else {
+        if (!empty(domain_admin('details', $duallogin))) {
+          $_SESSION["dual-login"]["username"] = $_SESSION['mailcow_cc_username'];
+          $_SESSION["dual-login"]["role"]     = $_SESSION['mailcow_cc_role'];
+          $_SESSION['mailcow_cc_username']    = $duallogin;
+          $_SESSION['mailcow_cc_role']        = "domainadmin";
+          header("Location: /user");
+        }
       }
     }
   }