1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-23 02:04:46 +02:00

[Web] hide auth settings for external users

This commit is contained in:
FreddleSpl0it 2023-05-25 10:06:55 +02:00 committed by DerLinkman
parent 4dc3222f03
commit 5545d8a56c
No known key found for this signature in database
GPG Key ID: F109FD97469550A2
4 changed files with 10 additions and 8 deletions

View File

@ -235,8 +235,11 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
$protocol = 'sieve';
} else if ($app_passwd_data['pop3']){
$protocol = 'pop3';
} else if (!$is_internal) {
return false;
}
// fetch app password data
$stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
@ -249,11 +252,8 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
:has_access_query"
);
// check if app password has protocol access
// skip if protocol is false and the call is not external
$has_access_query = '';
if (!$is_internal || ($is_internal && !empty($protocol))){
$has_access_query = " AND `app_passwd`.`" . $protocol . "_access` = '1'";
}
// skip if protocol is false and the call is internal
$has_access_query = ($is_internal && $protocol === false) ? "" : " AND `app_passwd`.`" . $protocol . "_access` = '1'";
// fetch password data
$stmt->execute(array(
':user' => $user,

View File

@ -896,7 +896,7 @@ function edit_user_account($_data) {
}
$stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
WHERE `kind` NOT REGEXP 'location|thing|group'
AND `username` = :user");
AND `username` = :user AND authsource = 'mailcow'");
$stmt->execute(array(':user' => $username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!verify_hash($row['password'], $password_old)) {
@ -917,7 +917,7 @@ function edit_user_account($_data) {
$stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed,
`attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'),
`attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
WHERE `username` = :username");
WHERE `username` = :username AND authsource = 'mailcow'");
$stmt->execute(array(
':password_hashed' => $password_hashed,
':username' => $username

View File

@ -3165,7 +3165,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$stmt = $pdo->prepare("UPDATE `mailbox` SET
`password` = :password_hashed,
`attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
WHERE `username` = :username");
WHERE `username` = :username AND authsource = 'mailcow'");
$stmt->execute(array(
':password_hashed' => $password_hashed,
':username' => $username

View File

@ -97,6 +97,7 @@
</div>
{# TFA #}
{% if mailboxdata.authsource == "mailcow" %}
<legend class="mt-4">{{ lang.user.authentication }}</legend>
<hr>
<div class="row">
@ -170,6 +171,7 @@
</div>
<br>
</div>
{% endif %}
</div>
<div class="ms-auto col-xl-3 col-lg-5 col-md-12 col-12 d-flex flex-column well flex-grow-1">
<legend class="d-flex">