fix(sec): Cross-Tenant-IDOR bei POP3-Konten schließen

Gleiches Muster wie bei IMAP (730099d): domain_admin konnte POP3-Konten fremder Tenants auflisten, löschen und Importe/Progress fremder Tenants ansehen, da pop3_accounts keine tenant_id hatte und Store.List() für Admins ungefiltert alle Konten lieferte. - pop3_accounts: neue Spalte tenant_id (ALTER TABLE ADD COLUMN IF NOT EXISTS) - Store.List() filtert nach tenant_id, außer für superadmin - Store.Create() setzt tenant_id beim Anlegen - delete/start-import/progress prüfen zusätzlich tenantAccessAllowed()
2026-06-12 23:31:56 +02:00
parent 730099d2aa
commit 501ee8f7ea
2 changed files with 22 additions and 10 deletions
@@ -400,7 +400,7 @@ func (s *Server) handleListPop3(w http.ResponseWriter, r *http.Request) {
 	sess := sessionFromCtx(r.Context())
 	// SEC-03: Use HasRole to correctly check admin privileges (domain_admin, admin, superadmin).
 	isAdmin := auth.HasRole(sess.Role, userstore.RoleDomainAdmin)
-	accounts, err := s.pop3Store.List(r.Context(), sess.Username, isAdmin)
+	accounts, err := s.pop3Store.List(r.Context(), sess.Username, isAdmin, sess.TenantID)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to list POP3 accounts")
 		return
@@ -449,6 +449,7 @@ func (s *Server) handleCreatePop3(w http.ResponseWriter, r *http.Request) {
 		TLS:           req.TLS,
 		TLSSkipVerify: req.TLSSkipVerify,
 		Username:      req.Username,
+		TenantID:      sess.TenantID,
 	}

 	created, err := s.pop3Store.Create(r.Context(), acc, req.Password)
@@ -611,6 +612,10 @@ func (s *Server) handlePop3Progress(w http.ResponseWriter, r *http.Request) {
 		writeError(w, http.StatusForbidden, "access denied")
 		return
 	}
+	if !tenantAccessAllowed(sess, acc.TenantID) {
+		writeError(w, http.StatusForbidden, "access denied")
+		return
+	}

 	writeJSON(w, http.StatusOK, acc)
 }