Commit Graph

5778 Commits

Author SHA1 Message Date
master3395
b9b24dd687 FTP: path normalization, post-create directory edit, enable/disable
- Resolve FTP home paths without duplicating /home/domain; support absolute paths under site home
- Add changeFTPDirectory API and list UI; improve create form path help
- Add setFTPAccountStatus (Status 0/1) with Enable/Disable on list page
- Pure-FTPd MySQL: require Status='1' for authentication in install templates
- Plugin signals for change directory and account status
2026-03-24 20:22:56 +01:00
master3395
10d4da6c0f fix(ftp): hide create-account alerts until submit (ng-show + ng-cloak)
- Replace inverted ng-hide flags with alertFtp* + ng-show (default false).
- Remove broken cantLoadInitialDatas guard (successfullyCreatedFTP !== false
  was true on initial state).
- Per-request submissionCompleted prevents duplicate error handlers.
- ng-cloak on controller root + CSS avoids FOUC before first digest.
- Sync static/ and public/static/ ftp.js with app static copy.
2026-03-24 00:17:23 +01:00
master3395
606209060f fix(ftp): add idempotent custom_quota columns on users table
- CPScripts/ensure_ftp_users_quota_columns.py checks information_schema and
  ALTER TABLE users ADD COLUMN for custom_quota_enabled and custom_quota_size
  when missing (fixes MySQL 1054 on FTP account creation).
- deploy-ftp-users-custom-quota-columns.sh copies script to CyberCP and runs
  repair; restarts lscpd when active.
- upgrade_modules/10_post_tweak.sh runs the repair after upgrade sync.
2026-03-24 00:07:58 +01:00
usmannasir
383d4ea3f1 Fix Dovecot hard restart killing active IMAP/POP3 connections
Replace 'systemctl restart dovecot' with 'doveadm reload' in
virtualHostUtilities, mailUtilities, and renew modules. The nightly
backup scheduler, SSL operations, and weekly cert renewal were
forcefully terminating all client sessions. doveadm reload applies
config changes (including updated SSL certs) without dropping
existing connections. upgrade.py is intentionally left unchanged
as full restarts are appropriate during upgrades.
2026-03-20 16:01:30 +05:00
usmannasir
d8cfad2761 Merge branch 'v2.4.4' into v2.4.5 2026-03-15 06:29:40 +05:00
usmannasir
92dbc2be76 Update cyberpanel_ols module to v2.7.0 and remove hash verification
Downloads are served directly from cyberpanel.net so checksum
verification is unnecessary. Also updates module URLs from v2.4.4
to v2.7.0.
2026-03-15 06:28:17 +05:00
Master3395
edeebb55ce Merge pull request #1737 from master3395/v2.5.5-dev
Subdomain fixes: creation (FQDN normalize), SSL (child webroot), Clou…
2026-03-14 23:53:14 +01:00
master3395
56866172c6 Subdomain fixes: creation (FQDN normalize), SSL (child webroot), CloudFlare delete (parent zone), acme-challenge dir 2026-03-14 23:51:51 +01:00
Master3395
0587085a5b Merge pull request #1734 from master3395/v2.5.5-dev
Database create: allow special chars in password, return real errors,…
2026-03-13 23:39:18 +01:00
master3395
cc0a002fd6 Database create: allow special chars in password, return real errors, safe SQL
- secMiddleware: allow dbPassword to bypass strict char check (stronger passwords)
- mysqlUtilities.createDatabase: return (0, error_message) on failure so UI shows real error instead of '0'
- mysqlUtilities.createDatabase: backtick-quote db name (fix 'near -admin' with hyphens), escape password and user for SQL
- submitDBCreation: pass through error message from createDatabase
- backupUtilities, Backupsv2, restoreMeta: treat createDatabase != 1 as failure (tuple return)
- patches/allow-dbpassword-special-chars.patch for secMiddleware deploy
2026-03-13 23:36:29 +01:00
Master3395
17d1eb55e0 Merge pull request #1731 from master3395/v2.5.5-dev
V2.5.5 dev
2026-03-12 12:14:21 +01:00
master3395
120f449b60 pluginHolder: harden upgrade - verify meta sync, retry, fsync so version updates reliably 2026-03-07 22:04:52 +01:00
master3395
657b903e44 pluginHolder: single upgrade confirmation (keep WARNING), refresh list after upgrade
- Remove second 'Final confirmation' dialog; keep only the WARNING backup dialog
- After successful upgrade, refetch plugin store and refresh upgrades list so
  upgraded plugins no longer appear under Upgrades Available
2026-03-07 21:12:54 +01:00
Master3395
c6bb471a7f Merge pull request #1725 from master3395/v2.5.5-dev
V2.5.5 dev
2026-03-07 02:52:07 +01:00
master3395
6bfa9382ee docs: remove hardcoded IP from 2FA guide (use your-server placeholder) 2026-03-07 02:47:55 +01:00
master3395
dc79703463 2FA/WebAuthn, user management, deploy and fix scripts
- loginSystem: WebAuthn (webauthn backend, models, urls, views), login template and webauthn.js
- baseTemplate: index.html updates
- docs: 2FA_AUTHENTICATION_GUIDE.md
- userManagment: createUser/modifyUser templates, userManagment.js, views, tests; check_modify_users_page.py
- requirments.txt: add webauthn>=2.0.0
- deploy-templates.sh: deploy templates/static to live CyberCP
- fix-cyberpanel-500.sh: script for common HTTP 500 login fixes (MariaDB, configservercsf, cache, restart)
2026-03-07 02:46:15 +01:00
master3395
67d8a716dc Plugins: add Upgrades Available tab for easier plugin updates
- New tab between Table View and CyberPanel Plugin Store with badge count
- Dedicated view listing only installed plugins with a newer store version
- Table columns: Plugin Name, New Version, Your Version, Date, Action (Upgrade)
- Notice to read release info and backup before upgrading
- Badge and list populated from existing store API (update_available)
2026-03-07 02:44:54 +01:00
usmannasir
8578733d0d Fix broken PHP symlink after upgrade: use lexists to detect dangling symlinks
os.path.exists() returns False for broken symlinks (e.g. /usr/bin/php
pointing to removed php7.4), so the old link was never removed and
the new ln -s to lsphp83 failed silently. Use os.path.lexists() instead.
2026-03-07 04:53:52 +05:00
Master3395
b46e7d2e99 Merge pull request #1724 from master3395/v2.5.5-dev
V2.5.5 dev
2026-03-06 21:14:43 +01:00
master3395
9e8011990a Plugin settings 404 and uninstall permission fixes
- Add plugin_settings_proxy for /plugins/<name>/settings/ so settings pages
  work for all installed plugins (handles plugins installed after worker start)
- Add path('<str:plugin_name>/settings/', plugin_settings_proxy) in pluginHolder.urls
- removeFromSettings/removeFromURLs: use try/except for read/write, raise clear
  PermissionError message; ensure panel user can write (chgrp lscpd; chmod g+w)
- Deploy: make CyberCP/settings.py, urls.py, baseTemplate index.html group-
  writable by lscpd so uninstall can update them
2026-03-06 21:00:33 +01:00
master3395
aa783d150b Plugin install: exclude README.md from wrong-location check (main repo has it at root)
Fixes false 'Files extracted to wrong location' when /usr/local/CyberCP/README.md
exists. Ensure panel user can create plugin dirs (e.g. chgrp lscpd /usr/local/CyberCP,
chmod g+w, and add panel user to group lscpd).
2026-03-06 20:51:45 +01:00
master3395
26d3d289b4 Plugin store: fix install for all plugins (nested repo + extraction)
- Find plugin in GitHub archive by any path segment (Category/pluginName)
- extractPlugin: prefer top-level dir matching plugin name; handle repo-root
  single dir by using plugin subdir when present (avoids wrong location)
- Add pluginHolder and pluginInstaller to upgrade recovery essential dirs

Fixes: Files extracted to wrong location (e.g. pm2Manager, README.md in root)
2026-03-06 20:40:37 +01:00
master3395
d2ad06aa4e Plugin install: pass absolute zip path to avoid cwd races; extract always uses given path 2026-03-06 20:26:15 +01:00
master3395
24467035a9 Fix plugin installation: extract to plugin dir for any zip structure (install/upgrade/downgrade safe) 2026-03-06 20:17:48 +01:00
Master3395
fd1f5d30c5 Merge pull request #1723 from master3395/v2.5.5-dev
V2.5.5 dev
2026-03-06 20:08:43 +01:00
master3395
4a999ab6d2 Remove to-do folder, docs/WINDOWS_INSTALLATION_GUIDE.md, docs/release_v2.5.5-dev.md 2026-03-06 20:07:44 +01:00
master3395
df283b4db3 Issue SSL tile + centered SSL form close (X) for v2.5.5-dev; install/upgrade/downgrade safe 2026-03-06 20:03:19 +01:00
Master3395
00e139e90b Merge pull request #1722 from master3395/v2.5.5-dev
Docker containers 500 fix, firewall banned IPs, container logs readab…
2026-03-06 19:07:12 +01:00
master3395
53fc6a52e5 Docker containers 500 fix, firewall banned IPs, container logs readability, base Ban IP sync to DB
- dockerManager: add 0001_initial migration (CREATE TABLE IF NOT EXISTS), migrate-and-retry on DB errors, safe error response, fix logging.CyberCPLogFileWriter.writeToFile
- dockerManager/views: listContainersPage fallback HTML with error message if template fails
- dockerManager/viewContainer: improve container log readability (font-size 1rem, color #f1f5f9, line-height 1.6)
- baseTemplate: blockIPAddress also adds ban to firewall BannedIP model so Firewall > Banned IPs shows all
- firewall: getBannedIPs migrate-and-retry on OperationalError/ProgrammingError; install runs migrate firewall
- plogical/upgrade: syncBannedIPsJsonToDb() to sync JSON bans to firewall_bannedips; firewallMigrations() calls it; CyberPanelUpgrade runs firewallMigrations(); someDirectories creates /usr/local/CyberCP/data
- install: explicit migrate firewall after global migrate
2026-03-06 18:50:30 +01:00
usmannasir
6efdf28396 Fix SMTP relay on AlmaLinux/RHEL: install cyrus-sasl-plain package
Postfix SASL PLAIN auth fails with "No worthy mechs found" on
RHEL/AlmaLinux because cyrus-sasl-plain is not installed by default.
- Add cyrus-sasl-plain to postfix install in install.py
- Auto-install in configureRelayHost() for existing servers
- Add to upgrade.py setupSieve() for existing installations
2026-03-06 18:36:41 +05:00
usmannasir
441f11b850 Fix fresh install crash: replace plogical imports in installCyberPanel.py
installSieve() and setupWebmail() imported from plogical module which
doesn't exist during fresh install (CyberPanel code not yet deployed).
- Replace FirewallUtilities.addSieveFirewallRule() with direct firewall-cmd/ufw calls
- Replace generate_pass() with inline secrets.choice() password generation
2026-03-06 17:10:08 +05:00
usmannasir
e81f2383be Fix version references: v2.4.5 not v2.4.5-dev 2026-03-06 16:43:37 +05:00
usmannasir
745339d0f8 Bump version to 2.4.5
- Update CP_VERSION to 2.4.5 in base template (busts static resource cache)
- Update BUILD to 5 in baseTemplate/views.py
- Update version.txt build to 5
- Update branch references in fix_cyberpanel_install.sh and docs
2026-03-06 16:42:54 +05:00
usmannasir
fa00335aa4 Revert webmail.conf ownership to cyberpanel:cyberpanel
CyberPanel Python app runs as cyberpanel user (lscpd is just the web
server). The webmail.conf must be readable by cyberpanel, not lscpd.
2026-03-06 16:29:34 +05:00
usmannasir
918a42422c Fix webmail.conf ownership: use lscpd:lscpd instead of cyberpanel:cyberpanel
lscpd worker runs as user lscpd, not cyberpanel. The webmail.conf file
(containing master user credentials) was unreadable by lscpd, causing
master auth to silently fail and fall back to empty password auth.
Also fix ownership on existing installs during upgrade.
2026-03-06 16:24:42 +05:00
usmannasir
e77ade4872 Fix dovecot-mysql missing on AlmaLinux 9+: use standard packages instead of gf-plus
AlmaLinux 9 uses standard dovecot/dovecot-mysql packages from OS repos,
not dovecot23/dovecot23-mysql from Ghettoforge. Also fix openeuler path
which was missing dovecot-mysql entirely.
2026-03-06 16:17:19 +05:00
usmannasir
1b75b8d654 Improve Sieve: folder dropdown in rules UI, INBOX. prefix fix, robust upgrade regexes
- Replace free text input with folder dropdown for move-to-folder rules
- Auto-prefix INBOX. namespace to folder names in sieve scripts
- Strip INBOX. prefix when parsing sieve scripts back to rules
- Make upgrade setupSieve() regexes more flexible to handle config variations
- Add os.makedirs for conf.d directory in both install and upgrade
- Validate ManageSieve config with both inet_listener and service checks
2026-03-06 03:50:03 +05:00
usmannasir
5cc423b7ae Fix Sieve storage: add home dir to user_query, sieve plugin paths, and mailbox autocreate
- Add home directory (CONCAT) to dovecot-sql.conf.ext user_query so sieve
  can locate script storage per user
- Add sieve/sieve_dir plugin settings to dovecot.conf templates
- Add lda_mailbox_autocreate/autosubscribe so fileinto creates missing folders
- Update setupSieve() upgrade function to patch all three on existing installs
2026-03-06 03:39:04 +05:00
usmannasir
c2c79f3967 Enable Sieve email filtering in install and upgrade for all OS
- Add sieve to dovecot protocols in both dovecot.conf templates
- Add sieve plugin to LDA mail_plugins in dovecot.conf templates
- Write ManageSieve config (20-managesieve.conf) during installSieve()
- Add setupSieve() upgrade function: patches dovecot.conf, installs
  packages (dovecot-sieve/managesieved on Ubuntu, pigeonhole on CentOS),
  writes ManageSieve config, opens firewall port 4190, restarts dovecot
- Call setupSieve() in main upgrade flow
2026-03-06 03:32:04 +05:00
usmannasir
e59e80e2dc Security fixes for webmail and emailDelivery apps
- Fix command injection in relay config: use shlex.quote() on all
  subprocess arguments passed to mailUtilities.py
- Fix XSS in email reply/forward: html.escape() on From/To/Date/Subject
  headers before embedding in quoted HTML
- Fix attachment filename traversal: use os.path.basename() and strip
  null bytes from attachment filenames
- Fix Sieve script name injection: sanitize names to alphanumeric chars
- Fix SSRF in image proxy: resolve hostname to IP and check against
  ipaddress.is_private/is_loopback/is_link_local/is_reserved
- Remove internal error details from user-facing responses
- Update Access Webmail link from /snappymail/ to /webmail/
2026-03-06 03:27:45 +05:00
usmannasir
0ebde8831f Fix emailDelivery page rendering: use httpProc instead of plain render
The page was missing sidebar menu, ACL data, and cosmetic config because
home() used Django's plain render() instead of httpProc.render() which
loads all context data needed by the base template.
2026-03-06 03:21:11 +05:00
usmannasir
4bb569ef9b Fix webmail SSO setup in install and upgrade
Install setupWebmail() now creates /etc/cyberpanel dir if missing,
patches dovecot.conf with master passdb block if absent, and skips
gracefully when already configured. Prevents webmail auth failures
on fresh installs where the directory didn't exist yet.

Also adds cybermail_accounts and cybermail_domains CREATE TABLE
statements to upgrade.py applyLoginSystemMigrations() for the
emailDelivery app on existing installs.
2026-03-06 01:15:04 +05:00
usmannasir
8411995958 Add CyberMail Email Delivery integration
- New emailDelivery Django app with full platform API integration
- Account connection, domain management, SMTP credentials, relay config
- Auto-configure SPF/DKIM/DMARC DNS records via PowerDNS
- Postfix SMTP relay through CyberMail (configureRelayHost/removeRelayHost)
- Real-time delivery logs, stats, and per-domain analytics
- Single-page AngularJS dashboard with marketing landing page
- Promotional banners on 6 email-related pages with dismiss cookie
- Manual SQL table creation in upgrade.py for existing installs
- Documentation: setup guide, technical reference, user guide
2026-03-06 00:19:53 +05:00
usmannasir
3124bae377 Sort messages by date using IMAP SORT extension instead of UID order 2026-03-05 05:56:13 +05:00
usmannasir
1f73702722 Fix missing mail TLS certs: copy self-signed certs to /etc/pki/dovecot/ at install and upgrade
On Ubuntu, the install creates /etc/pki/dovecot/ directories but never
populates them with certs. Postfix main.cf references these paths for
STARTTLS. Without them, inbound STARTTLS fails and external mail servers
(Gmail etc.) drop the connection, preventing mail delivery.
2026-03-05 05:54:09 +05:00
usmannasir
a8ba63311c Fix account switcher: ng-if creates child scope breaking ng-model binding, use ng-show instead 2026-03-05 05:42:44 +05:00
usmannasir
df7b1d3a64 Fix account switcher: send fromAccount with every API call instead of relying solely on session 2026-03-05 05:39:55 +05:00
usmannasir
5da5021675 Fix account switcher: use currentEmail as ng-model so display updates immediately 2026-03-05 05:34:32 +05:00
usmannasir
a3a90df96f Add cache-busting query param to webmail JS include 2026-03-05 05:31:21 +05:00
usmannasir
d12da43859 Fix critical webmail bugs: XSS, SSRF, install ordering, and UI issues
Security fixes:
- Escape plain text body to prevent XSS via trustAsHtml
- Add SSRF protection to image proxy (block private IPs, require auth)
- Sanitize Content-Disposition filename to prevent header injection
- Escape Sieve script values to prevent script injection
- Escape IMAP search query to prevent search injection

Install/upgrade fixes:
- Move setupWebmail() call to after Dovecot is installed (was running
  before doveadm existed, silently failing on every fresh install)
- Make setupWebmail() a static method callable from install.py
- Fix upgrade idempotency: always run dovecot.conf patching and
  migrations even if webmail.conf already exists (partial failure recovery)

Frontend fixes:
- Fix search being a no-op (was ignoring results and just reloading)
- Fix loading spinner stuck forever on API errors (add errback)
- Fix unread count decrementing on already-read messages
- Fix draft auto-save timer leak when navigating away from compose
- Fix composeToContact missing signature and auto-save
- Fix null subject crash in reply/forward
- Clear stale data when switching accounts
- Fix attachment part_id mismatch between parser and downloader

Backend fixes:
- Fix Sieve _read_response infinite loop on connection drop
- Add login check to apiSaveDraft
2026-03-05 05:10:14 +05:00