diff --git a/lib/plugins/libkolab/composer.json b/lib/plugins/kolab_auth/composer.json similarity index 71% copy from lib/plugins/libkolab/composer.json copy to lib/plugins/kolab_auth/composer.json index 8926037..3e7012f 100644 --- a/lib/plugins/libkolab/composer.json +++ b/lib/plugins/kolab_auth/composer.json @@ -1,30 +1,30 @@ { - "name": "kolab/libkolab", + "name": "kolab/kolab_auth", "type": "roundcube-plugin", - "description": "Plugin to setup a basic environment for the interaction with a Kolab server.", + "description": "Kolab authentication", "homepage": "http://git.kolab.org/roundcubemail-plugins-kolab/", "license": "AGPLv3", - "version": "1.1.0", + "version": "3.2.2", "authors": [ { "name": "Thomas Bruederli", "email": "bruederli@kolabsys.com", "role": "Lead" }, { - "name": "Alensader Machniak", + "name": "Aleksander Machniak", "email": "machniak@kolabsys.com", - "role": "Developer" + "role": "Lead" } ], "repositories": [ { "type": "composer", "url": "http://plugins.roundcube.net" } ], "require": { "php": ">=5.3.0", "roundcube/plugin-installer": ">=0.1.3" } } diff --git a/lib/plugins/kolab_auth/config.inc.php.dist b/lib/plugins/kolab_auth/config.inc.php.dist index 785fb78..8c01d56 100644 --- a/lib/plugins/kolab_auth/config.inc.php.dist +++ b/lib/plugins/kolab_auth/config.inc.php.dist @@ -1,84 +1,91 @@ 'cn=kolab,cn=config', // 'domain_filter' => '(&(objectclass=domainrelatedobject)(associateddomain=%s))', // 'domain_name_attr' => 'associateddomain', // // With this %dc variable in base_dn and groups/base_dn will be // replaced with DN string of resolved domain //--------------------------------------------------------------------- -$rcmail_config['kolab_auth_addressbook'] = ''; +$config['kolab_auth_addressbook'] = ''; // This will overwrite defined filter -$rcmail_config['kolab_auth_filter'] = '(&(objectClass=kolabInetOrgPerson)(|(uid=%u)(mail=%fu)(alias=%fu)))'; +$config['kolab_auth_filter'] = '(&(objectClass=kolabInetOrgPerson)(|(uid=%u)(mail=%fu)(alias=%fu)))'; -// Use this fields (from fieldmap configuration) to get authentication ID -$rcmail_config['kolab_auth_login'] = 'email'; +// Use this field (from fieldmap configuration) to get authentication ID. Don't use an array here! +$config['kolab_auth_login'] = 'email'; -// Use this fields (from fieldmap configuration) for default identity. +// Use these fields (from fieldmap configuration) for default identity. // If the value array contains more than one field, first non-empty will be used // Note: These aren't LDAP attributes, but field names in config // Note: If there's more than one email address, as many identities will be created -$rcmail_config['kolab_auth_name'] = array('name', 'cn'); -$rcmail_config['kolab_auth_email'] = array('email'); -$rcmail_config['kolab_auth_organization'] = array('organization'); +$config['kolab_auth_name'] = array('name', 'cn'); +$config['kolab_auth_email'] = array('email'); +$config['kolab_auth_organization'] = array('organization'); + +// Role field (from fieldmap configuration) +$config['kolab_auth_role'] = 'role'; // Template for user names displayed in the UI. // You can use all attributes from the 'fieldmap' property of the 'kolab_auth_addressbook' configuration -$rcmail_config['kolab_auth_user_displayname'] = '{name} ({ou})'; +$config['kolab_auth_user_displayname'] = '{name} ({ou})'; // Login and password of the admin user. Enables "Login As" feature. -$rcmail_config['kolab_auth_admin_login'] = ''; -$rcmail_config['kolab_auth_admin_password'] = ''; +$config['kolab_auth_admin_login'] = ''; +$config['kolab_auth_admin_password'] = ''; // Enable audit logging for abuse of administrative privileges. -$rcmail_config['kolab_auth_auditlog'] = false; - -// Role field (from fieldmap configuration) -$rcmail_config['kolab_auth_role'] = 'role'; -// The required value for the role attribute to contain should the user be allowed -// to login as another user. -$rcmail_config['kolab_auth_role_value'] = ''; +$config['kolab_auth_auditlog'] = false; -// Administrative group name to which user must be assigned to -// which adds privilege to login as another user. -$rcmail_config['kolab_auth_group'] = ''; +// As set of rules to define the required rights on the target entry +// which allow an admin user to login as another user (the target). +// The effective rights value refers to either entry level attribute level rights: +// * entry:[read|add|delete] +// * attrib::[read|write|delete] +$config['kolab_auth_admin_rights'] = array( + // Roundcube task => required effective right + 'settings' => 'entry:read', + 'mail' => 'entry:delete', + 'addressbook' => 'entry:delete', + // or use a wildcard entry like this: + '*' => 'entry:read', +); // Enable plugins on a role-by-role basis. In this example, the 'acl' plugin // is enabled for people with a 'cn=professional-user,dc=mykolab,dc=ch' role. // // Note that this does NOT mean the 'acl' plugin is disabled for other people. -$rcmail_config['kolab_auth_role_plugins'] = Array( +$config['kolab_auth_role_plugins'] = Array( 'cn=professional-user,dc=mykolab,dc=ch' => Array( 'acl', ), ); // Settings on a role-by-role basis. In this example, the 'htmleditor' setting // is enabled(1) for people with a 'cn=professional-user,dc=mykolab,dc=ch' role, // and it cannot be overridden. Sample use-case: disable htmleditor for normal people, // do not allow the setting to be controlled through the preferences, enable the // html editor for professional users and allow them to override the setting in // the preferences. -$rcmail_config['kolab_auth_role_settings'] = Array( +$config['kolab_auth_role_settings'] = Array( 'cn=professional-user,dc=mykolab,dc=ch' => Array( 'htmleditor' => Array( 'mode' => 'override', 'value' => 1, 'allow_override' => true ), ), ); // List of LDAP addressbooks (keys of ldap_public configuration array) // for which base_dn variables (%dc, etc.) will be replaced according to authenticated user DN // Note: special name '*' for all LDAP addressbooks -$rcmail_config['kolab_auth_ldap_addressbooks'] = array('*'); +$config['kolab_auth_ldap_addressbooks'] = array('*'); ?> diff --git a/lib/plugins/kolab_auth/kolab_auth.php b/lib/plugins/kolab_auth/kolab_auth.php index 2b685a7..033d5b1 100644 --- a/lib/plugins/kolab_auth/kolab_auth.php +++ b/lib/plugins/kolab_auth/kolab_auth.php @@ -1,680 +1,788 @@ * * Copyright (C) 2011-2013, Kolab Systems AG * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as * published by the Free Software Foundation, either version 3 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . */ class kolab_auth extends rcube_plugin { static $ldap; private $username; private $data = array(); public function init() { $rcmail = rcube::get_instance(); $this->load_config(); $this->add_hook('authenticate', array($this, 'authenticate')); $this->add_hook('startup', array($this, 'startup')); $this->add_hook('user_create', array($this, 'user_create')); // Hook for password change $this->add_hook('password_ldap_bind', array($this, 'password_ldap_bind')); // Hooks related to "Login As" feature $this->add_hook('template_object_loginform', array($this, 'login_form')); $this->add_hook('storage_connect', array($this, 'imap_connect')); $this->add_hook('managesieve_connect', array($this, 'imap_connect')); $this->add_hook('smtp_connect', array($this, 'smtp_connect')); $this->add_hook('identity_form', array($this, 'identity_form')); // Hook to modify some configuration, e.g. ldap $this->add_hook('config_get', array($this, 'config_get')); // Hook to modify logging directory $this->add_hook('write_log', array($this, 'write_log')); $this->username = $_SESSION['username']; // Enable debug logs (per-user), when logged as another user if (!empty($_SESSION['kolab_auth_admin']) && $rcmail->config->get('kolab_auth_auditlog')) { $rcmail->config->set('debug_level', 1); $rcmail->config->set('devel_mode', true); $rcmail->config->set('smtp_log', true); $rcmail->config->set('log_logins', true); $rcmail->config->set('log_session', true); $rcmail->config->set('memcache_debug', true); $rcmail->config->set('imap_debug', true); $rcmail->config->set('ldap_debug', true); $rcmail->config->set('smtp_debug', true); $rcmail->config->set('sql_debug', true); // SQL debug need to be set directly on DB object // setting config variable will not work here because // the object is already initialized/configured if ($db = $rcmail->get_dbh()) { $db->set_debug(true); } } } + /** + * Startup hook handler + */ public function startup($args) { + // Check access rights when logged in as another user + if (!empty($_SESSION['kolab_auth_admin']) && $args['task'] != 'login' && $args['task'] != 'logout') { + // access to specified task is forbidden, + // redirect to the first task on the list + if (!empty($_SESSION['kolab_auth_allowed_tasks'])) { + $tasks = (array)$_SESSION['kolab_auth_allowed_tasks']; + if (!in_array($args['task'], $tasks) && !in_array('*', $tasks)) { + header('Location: ?_task=' . array_shift($tasks)); + die; + } + + // add script that will remove disabled taskbar buttons + if (!in_array('*', $tasks)) { + $this->add_hook('render_page', array($this, 'render_page')); + } + } + } + + // load per-user settings $this->load_user_role_plugins_and_settings(); return $args; } /** * Modify some configuration according to LDAP user record */ public function config_get($args) { // Replaces ldap_vars (%dc, etc) in public kolab ldap addressbooks // config based on the users base_dn. (for multi domain support) if ($args['name'] == 'ldap_public' && !empty($args['result'])) { $rcmail = rcube::get_instance(); $kolab_books = (array) $rcmail->config->get('kolab_auth_ldap_addressbooks'); foreach ($args['result'] as $name => $config) { if (in_array($name, $kolab_books) || in_array('*', $kolab_books)) { - $args['result'][$name]['base_dn'] = self::parse_ldap_vars($config['base_dn']); - $args['result'][$name]['search_base_dn'] = self::parse_ldap_vars($config['search_base_dn']); - $args['result'][$name]['bind_dn'] = str_replace('%dn', $_SESSION['kolab_dn'], $config['bind_dn']); - - if (!empty($config['groups'])) { - $args['result'][$name]['groups']['base_dn'] = self::parse_ldap_vars($config['groups']['base_dn']); - } + $args['result'][$name] = $this->patch_ldap_config($config); } } } + else if ($args['name'] == 'kolab_users_directory' && !empty($args['result'])) { + $args['result'] = $this->patch_ldap_config($args['result']); + } return $args; } + /** + * Helper method to patch the given LDAP directory config with user-specific values + */ + protected function patch_ldap_config($config) + { + if (is_array($config)) { + $config['base_dn'] = self::parse_ldap_vars($config['base_dn']); + $config['search_base_dn'] = self::parse_ldap_vars($config['search_base_dn']); + $config['bind_dn'] = str_replace('%dn', $_SESSION['kolab_dn'], $config['bind_dn']); + + if (!empty($config['groups'])) { + $config['groups']['base_dn'] = self::parse_ldap_vars($config['groups']['base_dn']); + } + } + + return $config; + } + /** * Modifies list of plugins and settings according to * specified LDAP roles */ public function load_user_role_plugins_and_settings() { if (empty($_SESSION['user_roledns'])) { return; } $rcmail = rcube::get_instance(); // Example 'kolab_auth_role_plugins' = // // Array( // '' => Array('plugin1', 'plugin2'), // ); // // NOTE that may in fact be something like: 'cn=role,%dc' $role_plugins = $rcmail->config->get('kolab_auth_role_plugins'); // Example $rcmail_config['kolab_auth_role_settings'] = // // Array( // '' => Array( // '$setting' => Array( // 'mode' => '(override|merge)', (default: override) // 'value' => <>, // 'allow_override' => (true|false) (default: false) // ), // ), // ); // // NOTE that may in fact be something like: 'cn=role,%dc' $role_settings = $rcmail->config->get('kolab_auth_role_settings'); if (!empty($role_plugins)) { foreach ($role_plugins as $role_dn => $plugins) { $role_dn = self::parse_ldap_vars($role_dn); if (!empty($role_plugins[$role_dn])) { $role_plugins[$role_dn] = array_unique(array_merge((array)$role_plugins[$role_dn], $plugins)); } else { $role_plugins[$role_dn] = $plugins; } } } if (!empty($role_settings)) { foreach ($role_settings as $role_dn => $settings) { $role_dn = self::parse_ldap_vars($role_dn); if (!empty($role_settings[$role_dn])) { $role_settings[$role_dn] = array_merge((array)$role_settings[$role_dn], $settings); } else { $role_settings[$role_dn] = $settings; } } } foreach ($_SESSION['user_roledns'] as $role_dn) { if (!empty($role_settings[$role_dn]) && is_array($role_settings[$role_dn])) { foreach ($role_settings[$role_dn] as $setting_name => $setting) { if (!isset($setting['mode'])) { $setting['mode'] = 'override'; } if ($setting['mode'] == "override") { $rcmail->config->set($setting_name, $setting['value']); } elseif ($setting['mode'] == "merge") { $orig_setting = $rcmail->config->get($setting_name); if (!empty($orig_setting)) { if (is_array($orig_setting)) { $rcmail->config->set($setting_name, array_merge($orig_setting, $setting['value'])); } } else { $rcmail->config->set($setting_name, $setting['value']); } } $dont_override = (array) $rcmail->config->get('dont_override'); if (empty($setting['allow_override'])) { $rcmail->config->set('dont_override', array_merge($dont_override, array($setting_name))); } else { if (in_array($setting_name, $dont_override)) { $_dont_override = array(); foreach ($dont_override as $_setting) { if ($_setting != $setting_name) { $_dont_override[] = $_setting; } } $rcmail->config->set('dont_override', $_dont_override); } } if ($setting_name == 'skin') { if ($rcmail->output->type == 'html') { $rcmail->output->set_skin($setting['value']); $rcmail->output->set_env('skin', $setting['value']); } } } } if (!empty($role_plugins[$role_dn])) { foreach ((array)$role_plugins[$role_dn] as $plugin) { $this->api->load_plugin($plugin); } } } } /** * Logging method replacement to print debug/errors into * a separate (sub)folder for each user */ public function write_log($args) { $rcmail = rcube::get_instance(); if ($rcmail->config->get('log_driver') == 'syslog') { return $args; } // log_driver == 'file' is assumed here $log_dir = $rcmail->config->get('log_dir', RCUBE_INSTALL_PATH . 'logs'); // Append original username + target username for audit-logging if ($rcmail->config->get('kolab_auth_auditlog') && !empty($_SESSION['kolab_auth_admin'])) { $args['dir'] = $log_dir . '/' . strtolower($_SESSION['kolab_auth_admin']) . '/' . strtolower($this->username); // Attempt to create the directory if (!is_dir($args['dir'])) { @mkdir($args['dir'], 0750, true); } } // Define the user log directory if a username is provided else if ($rcmail->config->get('per_user_logging') && !empty($this->username)) { $user_log_dir = $log_dir . '/' . strtolower($this->username); if (is_writable($user_log_dir)) { $args['dir'] = $user_log_dir; } else if ($args['name'] != 'errors') { $args['abort'] = true; // don't log if unauthenticed } } return $args; } /** * Sets defaults for new user. */ public function user_create($args) { if (!empty($this->data['user_email'])) { // addresses list is supported if (array_key_exists('email_list', $args)) { $email_list = array_unique($this->data['user_email']); // add organization to the list if (!empty($this->data['user_organization'])) { foreach ($email_list as $idx => $email) { $email_list[$idx] = array( 'organization' => $this->data['user_organization'], 'email' => $email, ); } } $args['email_list'] = $email_list; } else { $args['user_email'] = $this->data['user_email'][0]; } } if (!empty($this->data['user_name'])) { $args['user_name'] = $this->data['user_name']; } return $args; } /** * Modifies login form adding additional "Login As" field */ public function login_form($args) { $this->add_texts('localization/'); $rcmail = rcube::get_instance(); $admin_login = $rcmail->config->get('kolab_auth_admin_login'); $group = $rcmail->config->get('kolab_auth_group'); $role_attr = $rcmail->config->get('kolab_auth_role'); // Show "Login As" input if (empty($admin_login) || (empty($group) && empty($role_attr))) { return $args; } $input = new html_inputfield(array('name' => '_loginas', 'id' => 'rcmloginas', 'type' => 'text', 'autocomplete' => 'off')); $row = html::tag('tr', null, html::tag('td', 'title', html::label('rcmloginas', Q($this->gettext('loginas')))) . html::tag('td', 'input', $input->show(trim(rcube_utils::get_input_value('_loginas', rcube_utils::INPUT_POST)))) ); $args['content'] = preg_replace('/<\/tbody>/i', $row . '', $args['content']); return $args; } /** * Find user credentials In LDAP. */ public function authenticate($args) { // get username and host $host = $args['host']; $user = $args['user']; $pass = $args['pass']; $loginas = trim(rcube_utils::get_input_value('_loginas', rcube_utils::INPUT_POST)); if (empty($user) || empty($pass)) { $args['abort'] = true; return $args; } // temporarily set the current username to the one submitted $this->username = $user; $ldap = self::ldap(); if (!$ldap || !$ldap->ready) { $args['abort'] = true; $args['kolab_ldap_error'] = true; $message = sprintf( 'Login failure for user %s from %s in session %s (error %s)', $user, rcube_utils::remote_ip(), session_id(), "LDAP not ready" ); rcube::write_log('userlogins', $message); return $args; } // Find user record in LDAP $record = $ldap->get_user_record($user, $host); if (empty($record)) { $args['abort'] = true; $message = sprintf( 'Login failure for user %s from %s in session %s (error %s)', $user, rcube_utils::remote_ip(), session_id(), "No user record found" ); rcube::write_log('userlogins', $message); return $args; } $rcmail = rcube::get_instance(); $admin_login = $rcmail->config->get('kolab_auth_admin_login'); $admin_pass = $rcmail->config->get('kolab_auth_admin_password'); $login_attr = $rcmail->config->get('kolab_auth_login'); $name_attr = $rcmail->config->get('kolab_auth_name'); $email_attr = $rcmail->config->get('kolab_auth_email'); $org_attr = $rcmail->config->get('kolab_auth_organization'); $role_attr = $rcmail->config->get('kolab_auth_role'); $imap_attr = $rcmail->config->get('kolab_auth_mailhost'); if (!empty($role_attr) && !empty($record[$role_attr])) { $_SESSION['user_roledns'] = (array)($record[$role_attr]); } if (!empty($imap_attr) && !empty($record[$imap_attr])) { $default_host = $rcmail->config->get('default_host'); if (!empty($default_host)) { rcube::write_log("errors", "Both default host and kolab_auth_mailhost set. Incompatible."); } else { $args['host'] = "tls://" . $record[$imap_attr]; } } // Login As... if (!empty($loginas) && $admin_login) { // Authenticate to LDAP $result = $ldap->bind($record['dn'], $pass); if (!$result) { $args['abort'] = true; $message = sprintf( 'Login failure for user %s from %s in session %s (error %s)', $user, rcube_utils::remote_ip(), session_id(), "Unable to bind with '" . $record['dn'] . "'" ); rcube::write_log('userlogins', $message); return $args; } - // check if the original user has/belongs to administrative role/group $isadmin = false; - $group = $rcmail->config->get('kolab_auth_group'); - $role_dn = $rcmail->config->get('kolab_auth_role_value'); - - // check role attribute - if (!empty($role_attr) && !empty($role_dn) && !empty($record[$role_attr])) { - $role_dn = $ldap->parse_vars($role_dn, $user, $host); - if (in_array($role_dn, (array)$record[$role_attr])) { - $isadmin = true; + $admin_rights = $rcmail->config->get('kolab_auth_admin_rights', array()); + + // @deprecated: fall-back to the old check if the original user has/belongs to administrative role/group + if (empty($admin_rights)) { + $group = $rcmail->config->get('kolab_auth_group'); + $role_dn = $rcmail->config->get('kolab_auth_role_value'); + + // check role attribute + if (!empty($role_attr) && !empty($role_dn) && !empty($record[$role_attr])) { + $role_dn = $ldap->parse_vars($role_dn, $user, $host); + if (in_array($role_dn, (array)$record[$role_attr])) { + $isadmin = true; + } + } + + // check group + if (!$isadmin && !empty($group)) { + $groups = $ldap->get_user_groups($record['dn'], $user, $host); + if (in_array($group, $groups)) { + $isadmin = true; + } + } + + if ($isadmin) { + // user has admin privileges privilage, get "login as" user credentials + $target_entry = $ldap->get_user_record($loginas, $host); + $allowed_tasks = $rcmail->config->get('kolab_auth_allowed_tasks'); } } + else { + // get "login as" user credentials + $target_entry = $ldap->get_user_record($loginas, $host); + + if (!empty($target_entry)) { + // get effective rights to determine login-as permissions + $effective_rights = (array)$ldap->effective_rights($target_entry['dn']); + + if (!empty($effective_rights)) { + $effective_rights['attrib'] = $effective_rights['attributeLevelRights']; + $effective_rights['entry'] = $effective_rights['entryLevelRights']; + + // compare the rights with the permissions mapping + $allowed_tasks = array(); + foreach ($admin_rights as $task => $perms) { + $perms_ = explode(':', $perms); + $type = array_shift($perms_); + $req = array_pop($perms_); + $attrib = array_pop($perms_); + + if (array_key_exists($type, $effective_rights)) { + if ($type == 'entry' && in_array($req, $effective_rights[$type])) { + $allowed_tasks[] = $task; + } + else if ($type == 'attrib' && array_key_exists($attrib, $effective_rights[$type]) && + in_array($req, $effective_rights[$type][$attrib])) { + $allowed_tasks[] = $task; + } + } + } - // check group - if (!$isadmin && !empty($group)) { - $groups = $ldap->get_user_groups($record['dn'], $user, $host); - if (in_array($group, $groups)) { - $isadmin = true; + $isadmin = !empty($allowed_tasks); + } } } // Save original user login for log (see below) if ($login_attr) { $origname = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr]; } else { $origname = $user; } - $record = null; - - // user has the privilage, get "login as" user credentials - if ($isadmin) { - $record = $ldap->get_user_record($loginas, $host); - } + if (!$isadmin || empty($target_entry)) { + $this->add_texts('localization/'); - if (empty($record)) { $args['abort'] = true; + $args['error'] = $this->gettext(array( + 'name' => 'loginasnotallowed', + 'vars' => array('user' => Q($loginas)), + )); + $message = sprintf( 'Login failure for user %s (as user %s) from %s in session %s (error %s)', $user, $loginas, rcube_utils::remote_ip(), session_id(), - "No user record found for '" . $loginas . "'" + "No privileges to login as '" . $loginas . "'" ); rcube::write_log('userlogins', $message); return $args; } + // replace $record with target entry + $record = $target_entry; + $args['user'] = $this->username = $loginas; // Mark session to use SASL proxy for IMAP authentication $_SESSION['kolab_auth_admin'] = strtolower($origname); $_SESSION['kolab_auth_login'] = $rcmail->encrypt($admin_login); $_SESSION['kolab_auth_password'] = $rcmail->encrypt($admin_pass); + $_SESSION['kolab_auth_allowed_tasks'] = $allowed_tasks; } // Store UID and DN of logged user in session for use by other plugins $_SESSION['kolab_uid'] = is_array($record['uid']) ? $record['uid'][0] : $record['uid']; $_SESSION['kolab_dn'] = $record['dn']; // Store LDAP replacement variables used for current user // This improves performance of load_user_role_plugins_and_settings() // which is executed on every request (via startup hook) and where // we don't like to use LDAP (connection + bind + search) $_SESSION['kolab_auth_vars'] = $ldap->get_parse_vars(); // Set user login if ($login_attr) { $this->data['user_login'] = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr]; } if ($this->data['user_login']) { $args['user'] = $this->username = $this->data['user_login']; } // User name for identity (first log in) foreach ((array)$name_attr as $field) { $name = is_array($record[$field]) ? $record[$field][0] : $record[$field]; if (!empty($name)) { $this->data['user_name'] = $name; break; } } // User email(s) for identity (first log in) foreach ((array)$email_attr as $field) { $email = is_array($record[$field]) ? array_filter($record[$field]) : $record[$field]; if (!empty($email)) { $this->data['user_email'] = array_merge((array)$this->data['user_email'], (array)$email); } } // Organization name for identity (first log in) foreach ((array)$org_attr as $field) { $organization = is_array($record[$field]) ? $record[$field][0] : $record[$field]; if (!empty($organization)) { $this->data['user_organization'] = $organization; break; } } // Log "Login As" usage if (!empty($origname)) { rcube::write_log('userlogins', sprintf('Admin login for %s by %s from %s', $args['user'], $origname, rcube_utils::remote_ip())); } // load per-user settings/plugins $this->load_user_role_plugins_and_settings(); return $args; } /** * Set user DN for password change (password plugin with ldap_simple driver) */ public function password_ldap_bind($args) { $args['user_dn'] = $_SESSION['kolab_dn']; $rcmail = rcube::get_instance(); $rcmail->config->set('password_ldap_method', 'user'); return $args; } /** * Sets SASL Proxy login/password for IMAP and Managesieve auth */ public function imap_connect($args) { if (!empty($_SESSION['kolab_auth_admin'])) { $rcmail = rcube::get_instance(); $admin_login = $rcmail->decrypt($_SESSION['kolab_auth_login']); $admin_pass = $rcmail->decrypt($_SESSION['kolab_auth_password']); $args['auth_cid'] = $admin_login; $args['auth_pw'] = $admin_pass; } return $args; } /** * Sets SASL Proxy login/password for SMTP auth */ public function smtp_connect($args) { if (!empty($_SESSION['kolab_auth_admin'])) { $rcmail = rcube::get_instance(); $admin_login = $rcmail->decrypt($_SESSION['kolab_auth_login']); $admin_pass = $rcmail->decrypt($_SESSION['kolab_auth_password']); $args['smtp_auth_cid'] = $admin_login; $args['smtp_auth_pw'] = $admin_pass; } return $args; } /** * Hook to replace the plain text input field for email address by a drop-down list * with all email addresses (including aliases) from this user's LDAP record. */ public function identity_form($args) { $rcmail = rcube::get_instance(); $ident_level = intval($rcmail->config->get('identities_level', 0)); // do nothing if email address modification is disabled if ($ident_level == 1 || $ident_level == 3) { return $args; } $ldap = self::ldap(); if (!$ldap || !$ldap->ready || empty($_SESSION['kolab_dn'])) { return $args; } $emails = array(); $user_record = $ldap->get_record($_SESSION['kolab_dn']); foreach ((array)$rcmail->config->get('kolab_auth_email', array()) as $col) { $values = rcube_addressbook::get_col_values($col, $user_record, true); if (!empty($values)) $emails = array_merge($emails, array_filter($values)); } // kolab_delegation might want to modify this addresses list $plugin = $rcmail->plugins->exec_hook('kolab_auth_emails', array('emails' => $emails)); $emails = $plugin['emails']; if (!empty($emails)) { $args['form']['addressing']['content']['email'] = array( 'type' => 'select', 'options' => array_combine($emails, $emails), ); } return $args; } + /** + * Action executed before the page is rendered to add an onload script + * that will remove all taskbar buttons for disabled tasks + */ + public function render_page($args) + { + $rcmail = rcube::get_instance(); + $tasks = (array)$_SESSION['kolab_auth_allowed_tasks']; + $tasks[] = 'logout'; + + // disable buttons in taskbar + $script = " + \$('a').filter(function() { + var ev = \$(this).attr('onclick'); + return ev && ev.match(/'switch-task','([a-z]+)'/) + && \$.inArray(RegExp.\$1, " . json_encode($tasks) . ") < 0; + }).remove(); + "; + + $rcmail->output->add_script($script, 'docready'); + } + /** * Initializes LDAP object and connects to LDAP server */ public static function ldap() { if (self::$ldap) { return self::$ldap; } $rcmail = rcube::get_instance(); $addressbook = $rcmail->config->get('kolab_auth_addressbook'); if (!is_array($addressbook)) { $ldap_config = (array)$rcmail->config->get('ldap_public'); $addressbook = $ldap_config[$addressbook]; } if (empty($addressbook)) { return null; } require_once __DIR__ . '/kolab_auth_ldap.php'; self::$ldap = new kolab_auth_ldap($addressbook); return self::$ldap; } /** * Parses LDAP DN string with replacing supported variables. * See kolab_auth_ldap::parse_vars() * * @param string $str LDAP DN string * * @return string Parsed DN string */ public static function parse_ldap_vars($str) { if (!empty($_SESSION['kolab_auth_vars'])) { $str = strtr($str, $_SESSION['kolab_auth_vars']); } return $str; } } diff --git a/lib/plugins/kolab_auth/kolab_auth_ldap.php b/lib/plugins/kolab_auth/kolab_auth_ldap.php index 303bbf3..431133b 100644 --- a/lib/plugins/kolab_auth/kolab_auth_ldap.php +++ b/lib/plugins/kolab_auth/kolab_auth_ldap.php @@ -1,550 +1,548 @@ * * Copyright (C) 2011-2013, Kolab Systems AG * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as * published by the Free Software Foundation, either version 3 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . */ /** * Wrapper class for rcube_ldap_generic */ class kolab_auth_ldap extends rcube_ldap_generic { private $icache = array(); private $conf = array(); private $fieldmap = array(); function __construct($p) { $rcmail = rcube::get_instance(); $this->conf = $p; $this->conf['kolab_auth_user_displayname'] = $rcmail->config->get('kolab_auth_user_displayname', '{name}'); $this->fieldmap = $p['fieldmap']; $this->fieldmap['uid'] = 'uid'; $p['attributes'] = array_values($this->fieldmap); $p['debug'] = (bool) $rcmail->config->get('ldap_debug'); // Connect to the server (with bind) parent::__construct($p); $this->_connect(); $rcmail->add_shutdown_function(array($this, 'close')); } /** * Establish a connection to the LDAP server */ private function _connect() { - $rcube = rcube::get_instance(); - // try to connect + bind for every host configured // with OpenLDAP 2.x ldap_connect() always succeeds but ldap_bind will fail if host isn't reachable // see http://www.php.net/manual/en/function.ldap-connect.php foreach ((array)$this->config['hosts'] as $host) { // skip host if connection failed if (!$this->connect($host)) { continue; } $bind_pass = $this->config['bind_pass']; $bind_user = $this->config['bind_user']; $bind_dn = $this->config['bind_dn']; if (empty($bind_pass)) { $this->ready = true; } else { if (!empty($bind_dn)) { $this->ready = $this->bind($bind_dn, $bind_pass); } else if (!empty($this->config['auth_cid'])) { $this->ready = $this->sasl_bind($this->config['auth_cid'], $bind_pass, $bind_user); } else { $this->ready = $this->sasl_bind($bind_user, $bind_pass); } } // connection established, we're done here if ($this->ready) { break; } } // end foreach hosts if (!is_resource($this->conn)) { rcube::raise_error(array('code' => 100, 'type' => 'ldap', 'file' => __FILE__, 'line' => __LINE__, 'message' => "Could not connect to any LDAP server, last tried $host"), true); $this->ready = false; } return $this->ready; } /** * Fetches user data from LDAP addressbook */ function get_user_record($user, $host) { $rcmail = rcube::get_instance(); $filter = $rcmail->config->get('kolab_auth_filter'); $filter = $this->parse_vars($filter, $user, $host); $base_dn = $this->parse_vars($this->config['base_dn'], $user, $host); $scope = $this->config['scope']; // @TODO: print error if filter is empty // get record if ($result = parent::search($base_dn, $filter, $scope, $this->attributes)) { if ($result->count() == 1) { $entries = $result->entries(true); $dn = key($entries); $entry = array_pop($entries); $entry = $this->field_mapping($dn, $entry); return $entry; } } } /** * Fetches user data from LDAP addressbook */ function get_user_groups($dn, $user, $host) { if (empty($dn) || empty($this->config['groups'])) { return array(); } $base_dn = $this->parse_vars($this->config['groups']['base_dn'], $user, $host); $name_attr = $this->config['groups']['name_attr'] ? $this->config['groups']['name_attr'] : 'cn'; $member_attr = $this->get_group_member_attr(); $filter = "(member=$dn)(uniqueMember=$dn)"; if ($member_attr != 'member' && $member_attr != 'uniqueMember') $filter .= "($member_attr=$dn)"; $filter = strtr("(|$filter)", array("\\" => "\\\\")); $result = parent::search($base_dn, $filter, 'sub', array('dn', $name_attr)); if (!$result) { return array(); } $groups = array(); foreach ($result as $entry) { + $dn = $entry['dn']; $entry = rcube_ldap_generic::normalize_entry($entry); - if (!$entry['dn']) { - $entry['dn'] = key($result->entries(true)); - } - $groups[$entry['dn']] = $entry[$name_attr]; + + $groups[$dn] = $entry[$name_attr]; } return $groups; } /** * Get a specific LDAP record * * @param string DN * * @return array Record data */ function get_record($dn) { if (!$this->ready) { return; } if ($rec = $this->get_entry($dn)) { $rec = rcube_ldap_generic::normalize_entry($rec); $rec = $this->field_mapping($dn, $rec); } return $rec; } /** * Replace LDAP record data items * * @param string $dn DN * @param array $entry LDAP entry * * return bool True on success, False on failure */ function replace($dn, $entry) { // fields mapping foreach ($this->fieldmap as $field => $attr) { if (array_key_exists($field, $entry)) { $entry[$attr] = $entry[$field]; if ($attr != $field) { unset($entry[$field]); } } } return $this->mod_replace($dn, $entry); } /** * Search records (simplified version of rcube_ldap::search) * * @param mixed $fields The field name or array of field names to search in * @param mixed $value Search value (or array of values when $fields is array) * @param int $mode Matching mode: * 0 - partial (*abc*), * 1 - strict (=), * 2 - prefix (abc*) * @param array $required List of fields that cannot be empty * @param int $limit Number of records * @param int $count Returns the number of records found * * @return array List or false on error */ function dosearch($fields, $value, $mode=1, $required = array(), $limit = 0, &$count = 0) { if (empty($fields)) { return array(); } $mode = intval($mode); // use AND operator for advanced searches $filter = is_array($value) ? '(&' : '(|'; // set wildcards $wp = $ws = ''; if (!empty($this->config['fuzzy_search']) && $mode != 1) { $ws = '*'; if (!$mode) { $wp = '*'; } } foreach ((array)$fields as $idx => $field) { $val = is_array($value) ? $value[$idx] : $value; $attrs = (array) $this->fieldmap[$field]; if (empty($attrs)) { $filter .= "($field=$wp" . rcube_ldap_generic::quote_string($val) . "$ws)"; } else { if (count($attrs) > 1) $filter .= '(|'; foreach ($attrs as $f) $filter .= "($f=$wp" . rcube_ldap_generic::quote_string($val) . "$ws)"; if (count($attrs) > 1) $filter .= ')'; } } $filter .= ')'; // add required (non empty) fields filter $req_filter = ''; foreach ((array)$required as $field) { if (in_array($field, (array)$fields)) // required field is already in search filter continue; $attrs = (array) $this->fieldmap[$field]; if (empty($attrs)) { $req_filter .= "($field=*)"; } else { if (count($attrs) > 1) $req_filter .= '(|'; foreach ($attrs as $f) $req_filter .= "($f=*)"; if (count($attrs) > 1) $req_filter .= ')'; } } if (!empty($req_filter)) { $filter = '(&' . $req_filter . $filter . ')'; } // avoid double-wildcard if $value is empty $filter = preg_replace('/\*+/', '*', $filter); // add general filter to query if (!empty($this->config['filter'])) { $filter = '(&(' . preg_replace('/^\(|\)$/', '', $this->config['filter']) . ')' . $filter . ')'; } $base_dn = $this->parse_vars($this->config['base_dn']); $scope = $this->config['scope']; $attrs = array_values($this->fieldmap); $list = array(); if ($result = $this->search($base_dn, $filter, $scope, $attrs)) { $count = $result->count(); $i = 0; foreach ($result as $entry) { if ($limit && $limit <= $i) { break; } - $dn = key($result->entries(true)); + + $dn = $entry['dn']; $entry = rcube_ldap_generic::normalize_entry($entry); $list[$dn] = $this->field_mapping($dn, $entry); $i++; } } return $list; } /** * Set filter used in search() */ function set_filter($filter) { $this->config['filter'] = $filter; } /** * Maps LDAP attributes to defined fields */ protected function field_mapping($dn, $entry) { $entry['dn'] = $dn; // fields mapping foreach ($this->fieldmap as $field => $attr) { // $entry might be indexed by lower-case attribute names $attr_lc = strtolower($attr); if (isset($entry[$attr_lc])) { $entry[$field] = $entry[$attr_lc]; } else if (isset($entry[$attr])) { $entry[$field] = $entry[$attr]; } } // compose display name according to config if (empty($this->fieldmap['displayname'])) { $entry['displayname'] = rcube_addressbook::compose_search_name( $entry, $entry['email'], $entry['name'], $this->conf['kolab_auth_user_displayname'] ); } return $entry; } /** * Detects group member attribute name */ private function get_group_member_attr($object_classes = array()) { if (empty($object_classes)) { $object_classes = $this->config['groups']['object_classes']; } if (!empty($object_classes)) { foreach ((array)$object_classes as $oc) { switch (strtolower($oc)) { case 'group': case 'groupofnames': case 'kolabgroupofnames': $member_attr = 'member'; break; case 'groupofuniquenames': case 'kolabgroupofuniquenames': $member_attr = 'uniqueMember'; break; } } } if (!empty($member_attr)) { return $member_attr; } if (!empty($this->config['groups']['member_attr'])) { return $this->config['groups']['member_attr']; } return 'member'; } /** * Prepares filter query for LDAP search */ function parse_vars($str, $user = null, $host = null) { // When authenticating user $user is always set // if not set it means we use this LDAP object for other // purposes, e.g. kolab_delegation, then username with // correct domain is in a session if (!$user) { $user = $_SESSION['username']; } if (isset($this->icache[$user])) { list($user, $dc) = $this->icache[$user]; } else { $orig_user = $user; $rcmail = rcube::get_instance(); // get default domain if ($username_domain = $rcmail->config->get('username_domain')) { if ($host && is_array($username_domain) && isset($username_domain[$host])) { $domain = rcube_utils::parse_host($username_domain[$host], $host); } else if (is_string($username_domain)) { $domain = rcube_utils::parse_host($username_domain, $host); } } // realmed username (with domain) if (strpos($user, '@')) { list($usr, $dom) = explode('@', $user); // unrealm domain, user login can contain a domain alias if ($dom != $domain && ($dc = $this->find_domain($dom))) { // @FIXME: we should replace domain in $user, I suppose } } else if ($domain) { $user .= '@' . $domain; } $this->icache[$orig_user] = array($user, $dc); } // replace variables in filter list($u, $d) = explode('@', $user); // hierarchal domain string if (empty($dc)) { $dc = 'dc=' . strtr($d, array('.' => ',dc=')); } $replaces = array('%dc' => $dc, '%d' => $d, '%fu' => $user, '%u' => $u); $this->parse_replaces = $replaces; return strtr($str, $replaces); } /** * Find root domain for specified domain * * @param string $domain Domain name * * @return string Domain DN string */ function find_domain($domain) { if (empty($domain) || empty($this->config['domain_base_dn']) || empty($this->config['domain_filter'])) { return null; } $base_dn = $this->config['domain_base_dn']; $filter = $this->config['domain_filter']; $name_attr = $this->config['domain_name_attribute']; if (empty($name_attr)) { $name_attr = 'associateddomain'; } $filter = str_replace('%s', rcube_ldap_generic::quote_string($domain), $filter); $result = parent::search($base_dn, $filter, 'sub', array($name_attr, 'inetdomainbasedn')); if (!$result) { return null; } $entries = $result->entries(true); $entry_dn = key($entries); $entry = $entries[$entry_dn]; if (is_array($entry)) { if (!empty($entry['inetdomainbasedn'])) { return $entry['inetdomainbasedn']; } $domain = is_array($entry[$name_attr]) ? $entry[$name_attr][0] : $entry[$name_attr]; return $domain ? 'dc=' . implode(',dc=', explode('.', $domain)) : null; } } /** * Returns variables used for replacement in (last) parse_vars() call * * @return array Variable-value hash array */ public function get_parse_vars() { return $this->parse_replaces; } /** * Register additional fields */ public function extend_fieldmap($map) { foreach ((array)$map as $name => $attr) { if (!in_array($attr, $this->attributes)) { $this->attributes[] = $attr; $this->fieldmap[$name] = $attr; } } } /** * HTML-safe DN string encoding * * @param string $str DN string * * @return string Encoded HTML identifier string */ static function dn_encode($str) { return rtrim(strtr(base64_encode($str), '+/', '-_'), '='); } /** * Decodes DN string encoded with _dn_encode() * * @param string $str Encoded HTML identifier string * * @return string DN string */ static function dn_decode($str) { $str = str_pad(strtr($str, '-_', '+/'), strlen($str) % 4, '=', STR_PAD_RIGHT); return base64_decode($str); } } diff --git a/lib/plugins/kolab_auth/localization/de_CH.inc b/lib/plugins/kolab_auth/localization/de_CH.inc index 5e85a01..0332070 100644 --- a/lib/plugins/kolab_auth/localization/de_CH.inc +++ b/lib/plugins/kolab_auth/localization/de_CH.inc @@ -1,3 +1,10 @@ diff --git a/lib/plugins/kolab_auth/localization/de_DE.inc b/lib/plugins/kolab_auth/localization/de_DE.inc index 5e85a01..3918e6e 100644 --- a/lib/plugins/kolab_auth/localization/de_DE.inc +++ b/lib/plugins/kolab_auth/localization/de_DE.inc @@ -1,3 +1,11 @@ diff --git a/lib/plugins/kolab_auth/localization/en_US.inc b/lib/plugins/kolab_auth/localization/en_US.inc index 2a7b246..4882bdc 100644 --- a/lib/plugins/kolab_auth/localization/en_US.inc +++ b/lib/plugins/kolab_auth/localization/en_US.inc @@ -1,13 +1,14 @@ diff --git a/lib/plugins/kolab_auth/localization/fr_FR.inc b/lib/plugins/kolab_auth/localization/fr_FR.inc index 6f72695..6538f5b 100644 --- a/lib/plugins/kolab_auth/localization/fr_FR.inc +++ b/lib/plugins/kolab_auth/localization/fr_FR.inc @@ -1,3 +1,11 @@ diff --git a/lib/plugins/kolab_auth/localization/ja_JP.inc b/lib/plugins/kolab_auth/localization/ja_JP.inc index ed0358a..e360737 100644 --- a/lib/plugins/kolab_auth/localization/ja_JP.inc +++ b/lib/plugins/kolab_auth/localization/ja_JP.inc @@ -1,3 +1,10 @@ diff --git a/lib/plugins/kolab_auth/localization/nl_NL.inc b/lib/plugins/kolab_auth/localization/nl_NL.inc index a98283f..ea3a1c0 100644 --- a/lib/plugins/kolab_auth/localization/nl_NL.inc +++ b/lib/plugins/kolab_auth/localization/nl_NL.inc @@ -1,3 +1,10 @@ diff --git a/lib/plugins/kolab_auth/localization/pl_PL.inc b/lib/plugins/kolab_auth/localization/pl_PL.inc index 124c373..ca67859 100644 --- a/lib/plugins/kolab_auth/localization/pl_PL.inc +++ b/lib/plugins/kolab_auth/localization/pl_PL.inc @@ -1,3 +1,10 @@ diff --git a/lib/plugins/kolab_auth/localization/ru_RU.inc b/lib/plugins/kolab_auth/localization/ru_RU.inc index 9e28c12..ac9e5a7 100644 --- a/lib/plugins/kolab_auth/localization/ru_RU.inc +++ b/lib/plugins/kolab_auth/localization/ru_RU.inc @@ -1,3 +1,11 @@ diff --git a/lib/plugins/kolab_auth/package.xml b/lib/plugins/kolab_auth/package.xml deleted file mode 100644 index 5a2093b..0000000 --- a/lib/plugins/kolab_auth/package.xml +++ /dev/null @@ -1,63 +0,0 @@ - - - kolab_auth - http://git.kolab.org/roundcubemail-plugins-kolab/ - Kolab Authentication - - Authenticates on LDAP server, finds canonized authentication ID for IMAP - and for new users creates identity based on LDAP information. - Supports impersonate feature (login as another user). To use this feature - imap_auth_type/smtp_auth_type must be set to DIGEST-MD5 or PLAIN. - - - Aleksander Machniak - machniak - machniak@kolabsys.com - yes - - 2013-10-04 - - 1.0 - 1.0 - - - stable - stable - - GNU AGPLv3 - - - - - - - - - - - - - - - - - - - - - - - - - - 5.2.1 - - - 1.7.0 - - - - - diff --git a/lib/plugins/libkolab/composer.json b/lib/plugins/kolab_folders/composer.json similarity index 52% copy from lib/plugins/libkolab/composer.json copy to lib/plugins/kolab_folders/composer.json index 8926037..a4a9877 100644 --- a/lib/plugins/libkolab/composer.json +++ b/lib/plugins/kolab_folders/composer.json @@ -1,30 +1,26 @@ { - "name": "kolab/libkolab", + "name": "kolab/kolab_folders", "type": "roundcube-plugin", - "description": "Plugin to setup a basic environment for the interaction with a Kolab server.", + "description": "Type-aware folder management/listing for Kolab", "homepage": "http://git.kolab.org/roundcubemail-plugins-kolab/", "license": "AGPLv3", - "version": "1.1.0", + "version": "3.2.3", "authors": [ { - "name": "Thomas Bruederli", - "email": "bruederli@kolabsys.com", - "role": "Lead" - }, - { - "name": "Alensader Machniak", + "name": "Aleksander Machniak", "email": "machniak@kolabsys.com", - "role": "Developer" + "role": "Lead" } ], "repositories": [ { "type": "composer", "url": "http://plugins.roundcube.net" } ], "require": { "php": ">=5.3.0", - "roundcube/plugin-installer": ">=0.1.3" + "roundcube/plugin-installer": ">=0.1.3", + "kolab/libkolab": ">=3.2.3" } } diff --git a/lib/plugins/kolab_folders/config.inc.php.dist b/lib/plugins/kolab_folders/config.inc.php.dist index ffa1e15..0c9bd12 100644 --- a/lib/plugins/kolab_folders/config.inc.php.dist +++ b/lib/plugins/kolab_folders/config.inc.php.dist @@ -1,38 +1,36 @@ +$config['kolab_folders_mail_outbox'] = ''; +$config['kolab_folders_mail_junkemail'] = ''; diff --git a/lib/plugins/kolab_folders/kolab_folders.js b/lib/plugins/kolab_folders/kolab_folders.js index ac50543..b9d9225 100644 --- a/lib/plugins/kolab_folders/kolab_folders.js +++ b/lib/plugins/kolab_folders/kolab_folders.js @@ -1,149 +1,125 @@ /** * Client script for the Kolab folder management/listing extension * * @author Aleksander Machniak * * @licstart The following is the entire license notice for the * JavaScript code in this file. * * Copyright (C) 2011, Kolab Systems AG * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as * published by the Free Software Foundation, either version 3 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . * * @licend The above is the entire license notice * for the JavaScript code in this file. */ window.rcmail && rcmail.env.action == 'folders' && rcmail.addEventListener('init', function() { var filter = $(rcmail.gui_objects.foldersfilter), optgroup = $('').attr('label', rcmail.gettext('kolab_folders.folderctype')); // remove disabled namespaces filter.children('option').each(function(i, opt) { $.each(rcmail.env.skip_roots || [], function() { if (opt.value == this) { $(opt).remove(); } }); }); // add type options to the filter $.each(rcmail.env.foldertypes, function() { optgroup.append($(''); - // For non-mail folders we must hide mail-specific subtypes - $('option', sub).each(function() { - var opt = $(this), val = opt.val(); - if (val == '') - return; - // there's no mail.default - if (val == 'default' && type != 'mail') { - opt.show(); - return; - }; - - if (type == 'mail' && val != 'default') - opt.show(); - else if (bw.ie) - opt.remove(); - else - opt.hide(); + // append available subtypes for the given folder type + $.each(subtypes, function(val, label) { + $('