From 04e2494af8abb732f2b6808a266fa0d775542977 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Sun, 30 Jul 2023 11:24:07 +0200
Subject: [PATCH] deny changes on identity provider if it's in use

---
 data/web/inc/functions.inc.php | 36 ++++++++++++++++++++++++++++++++--
 data/web/lang/lang.en-gb.json  |  1 +
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index a7063fa2c..782a12733 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2122,6 +2122,21 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         return false;
       }
 
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+          WHERE `authsource` != 'mailcow'
+          AND `authsource` IS NOT NULL
+          AND `authsource` != :authsource");  
+      $stmt->execute(array(':authsource' => $_data['authsource']));
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      if ($rows) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('authsource_in_use', $setting)
+        );
+        return false;
+      }
+
       if ($_data['authsource'] == "keycloak") {
         $_data['server_url']        = (!empty($_data['server_url'])) ? rtrim($_data['server_url'], '/') : null;
         $_data['mailpassword_flow'] = isset($_data['mailpassword_flow']) ? intval($_data['mailpassword_flow']) : 0;
@@ -2235,9 +2250,26 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         return false;
       }
       
-      $stmt = $pdo->prepare("DELETE FROM identity_provider;");
-      $stmt->execute();
+      $stmt = $pdo->query("SELECT * FROM `mailbox`
+          WHERE `authsource` != 'mailcow'
+          AND `authsource` IS NOT NULL");
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      if ($rows) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $_action, $data_log),
+          'msg' => array('authsource_in_use', $setting)
+        );
+        return false;
+      }
 
+      $stmt = $pdo->query("DELETE FROM identity_provider;");
+
+      $_SESSION['return'][] =  array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $_action, $data_log),
+        'msg' => array('item_deleted', '')
+      );
       return true;
     break;
     case "init":
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 391ad58b5..a6f32105a 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -387,6 +387,7 @@
         "aliases_in_use": "Max. aliases must be greater or equal to %d",
         "app_name_empty": "App name cannot be empty",
         "app_passwd_id_invalid": "App password ID %s invalid",
+        "authsource_in_use": "The identity provider cannot be changed or deleted as it is currently in use by one or more users.",
         "bcc_empty": "BCC destination cannot be empty",
         "bcc_exists": "A BCC map %s exists for type %s",
         "bcc_must_be_email": "BCC destination %s is not a valid email address",