1

Topic: Limit Access for Single domain admin

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.0 PGSQL
- Deployed with iRedMail Easy or the downloadable installer? Downloadable Installer
- Linux/BSD distribution name and version: Ubuntu 18.04.4 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Good Day,

I need to limit a single user for a domain to only be able to create accounts, reset passwords and setup forwarders.
I have disabled most functions on the Advanced tab on the domain but the user can still access sent and received logs for all accounts.

Secondly, I would like to either disable the Dashboard or disable the links on the dashboard to prevent the user from accessing the Activities.

Being able to disable the Activities navigation option would work as well.

I appreciate any assistance on this,

Kind Regards,
Charles

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Limit Access for Single domain admin

So you want to disable the activities pages, i can implement this in iRedAdmin-Pro. But what i don't understand is, if the user owns this mail domain, why you don't allow the admins to check Sent/Received logs?

3

Re: Limit Access for Single domain admin

Hi Zhang,

The company that uses the domain will have a domain admin that manages the domain completely and a second admin that only has access to create emails and forwarders. The second admin user should not be able to see message subjects and most of the statistics/logs due to security concerns. 

This means that the limitations should be user-based and not domain-based.

4

Re: Limit Access for Single domain admin

if the second admin is a user with admin privilege, in the user profile page, you should see an option "Disallow to view log of inbound/outbound mails" under tab "General" in the "Mark this user as" section. Is it ok for you?

5

Re: Limit Access for Single domain admin

Ahh, it seems then that the setting does not work as expected. See image attached, I logged in with the Global admin on the first image, checked the settings as displayed. I logged out and logged in with the limited user, and the links are still clickable, with the information displayed. I can see some menu items disappear when I apply the Disallow to view setting, but not everything.

The problem seems to be that the limitation then does not apply correctly. Do you have any idea what could be causing it?

Post's attachments

Capture.JPG
Capture.JPG 53.2 kb, 1 downloads since 2020-03-19 

You don't have the permssions to download the attachments of this post.

6

Re: Limit Access for Single domain admin

I will disable the links on Dashboard page in upcoming iRedAdmin-Pro release. Stay tuned. smile

7

Re: Limit Access for Single domain admin

Patch for the latest iRedAdmin-Pro-SQL-4.2 and iRedAdmin-Pro-LDAP-4.3 is available, tested locally and it works fine. Please help test it and let me know how it works.

diff --git a/templates/default/dashboard.html b/templates/default/dashboard.html
index 2b32bac9..71900aaa 100644
--- a/templates/default/dashboard.html
+++ b/templates/default/dashboard.html
@@ -174,7 +174,11 @@
                         {% if s.mail %}
                             {% set _mail = s.mail |e %}
 
-                            <td class="full"><a href="{{ctx.homepath}}/activities/sent/user/{{ _mail }}">{{ _mail }}</a></td>
+                            {% if session.get('disable_viewing_mail_log') is sameas true %}
+                                <td class="full">{{ _mail }}</td>
+                            {% else %}
+                                <td class="full"><a href="{{ctx.homepath}}/activities/sent/user/{{ _mail }}">{{ _mail }}</a></td>
+                            {% endif %}
                         {% else %}
                             <td class="full">&lt;&gt;</td>
                         {% endif %}
@@ -195,7 +199,11 @@
                         {% if s.mail %}
                             {% set _mail = s.mail |e %}
 
-                            <td class="full"><a href="{{ctx.homepath}}/activities/received/user/{{ _mail }}">{{ _mail }}</a></td>
+                            {% if session.get('disable_viewing_mail_log') is sameas true %}
+                                <td class="full">{{ _mail }}</td>
+                            {% else %}
+                                <td class="full"><a href="{{ctx.homepath}}/activities/received/user/{{ _mail }}">{{ _mail }}</a></td>
+                            {% endif %}
                         {% else %}
                             <td class="full">&lt;&gt;</td>
                         {% endif %}

8

Re: Limit Access for Single domain admin

Extra patch is required too:

diff --git a/controllers/amavisd/log.py b/controllers/amavisd/log.py
index a3d9bde4..2b6dfa2e 100644
--- a/controllers/amavisd/log.py
+++ b/controllers/amavisd/log.py
@@ -138,6 +138,7 @@ class InOutMails(object):
 
 
 class InOutMailsPerAccount(object):
+    @decorators.require_permission_in_session(perm='disable_viewing_mail_log', not_present=True)
     @decorators.require_login
     def GET(self, log_type, account_type, account, page=1):
         log_type = str(log_type)
@@ -178,6 +179,7 @@ class InOutMailsPerAccount(object):
         )
 
     @decorators.csrf_protected
+    @decorators.require_permission_in_session(perm='disable_viewing_mail_log', not_present=True)
     @decorators.require_login
     def POST(self, log_type, account_type, account, page=1):
         log_type = str(log_type).lower()
@@ -405,6 +407,7 @@ class QuarantinedMails(object):
 
 
 class QuarantinedMailsPerAccount(object):
+    @decorators.require_permission_in_session(perm='disable_managing_quarantined_mails', not_present=True)
     @decorators.require_login
     def GET(self, account_type, account, quarantined_type=None, page=1):
         account_type = str(account_type)
@@ -464,6 +467,7 @@ class QuarantinedMailsPerAccount(object):
         )
 
     @decorators.csrf_protected
+    @decorators.require_permission_in_session(perm='disable_managing_quarantined_mails', not_present=True)
     @decorators.require_login
     def POST(self, account_type, account, quarantined_type=None, page=1):
         form = web.input(record=[], _unicode=False)