From 5545d8a56c87f4f3e8267d4a5954470466cdbecd Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Thu, 25 May 2023 10:06:55 +0200 Subject: [PATCH] [Web] hide auth settings for external users --- data/web/inc/functions.auth.inc.php | 10 +++++----- data/web/inc/functions.inc.php | 4 ++-- data/web/inc/functions.mailbox.inc.php | 2 +- data/web/templates/user/tab-user-auth.twig | 2 ++ 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/data/web/inc/functions.auth.inc.php b/data/web/inc/functions.auth.inc.php index 88bdaf77c..f7a2a3519 100644 --- a/data/web/inc/functions.auth.inc.php +++ b/data/web/inc/functions.auth.inc.php @@ -235,8 +235,11 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal $protocol = 'sieve'; } else if ($app_passwd_data['pop3']){ $protocol = 'pop3'; + } else if (!$is_internal) { + return false; } + // fetch app password data $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd` INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox` @@ -249,11 +252,8 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal :has_access_query" ); // check if app password has protocol access - // skip if protocol is false and the call is not external - $has_access_query = ''; - if (!$is_internal || ($is_internal && !empty($protocol))){ - $has_access_query = " AND `app_passwd`.`" . $protocol . "_access` = '1'"; - } + // skip if protocol is false and the call is internal + $has_access_query = ($is_internal && $protocol === false) ? "" : " AND `app_passwd`.`" . $protocol . "_access` = '1'"; // fetch password data $stmt->execute(array( ':user' => $user, diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 98991628d..21e20f39a 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -896,7 +896,7 @@ function edit_user_account($_data) { } $stmt = $pdo->prepare("SELECT `password` FROM `mailbox` WHERE `kind` NOT REGEXP 'location|thing|group' - AND `username` = :user"); + AND `username` = :user AND authsource = 'mailcow'"); $stmt->execute(array(':user' => $username)); $row = $stmt->fetch(PDO::FETCH_ASSOC); if (!verify_hash($row['password'], $password_old)) { @@ -917,7 +917,7 @@ function edit_user_account($_data) { $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed, `attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'), `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW()) - WHERE `username` = :username"); + WHERE `username` = :username AND authsource = 'mailcow'"); $stmt->execute(array( ':password_hashed' => $password_hashed, ':username' => $username diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php index 7ff1044a4..30d927398 100644 --- a/data/web/inc/functions.mailbox.inc.php +++ b/data/web/inc/functions.mailbox.inc.php @@ -3165,7 +3165,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) { $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed, `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW()) - WHERE `username` = :username"); + WHERE `username` = :username AND authsource = 'mailcow'"); $stmt->execute(array( ':password_hashed' => $password_hashed, ':username' => $username diff --git a/data/web/templates/user/tab-user-auth.twig b/data/web/templates/user/tab-user-auth.twig index c39f10086..f8429821e 100644 --- a/data/web/templates/user/tab-user-auth.twig +++ b/data/web/templates/user/tab-user-auth.twig @@ -97,6 +97,7 @@ {# TFA #} + {% if mailboxdata.authsource == "mailcow" %} {{ lang.user.authentication }}
@@ -170,6 +171,7 @@

+ {% endif %}