[Web] hide auth settings for external users

2025-10-30 23:57:54 +02:00 · 2023-05-25 10:06:55 +02:00
parent 4dc3222f03
commit 5545d8a56c
4 changed files with 10 additions and 8 deletions
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -235,8 +235,11 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
    $protocol = 'sieve';
  } else if ($app_passwd_data['pop3']){
    $protocol = 'pop3';
+  } else if (!$is_internal) {
+    return false;
  }

+
  // fetch app password data
  $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
    INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
@@ -249,11 +252,8 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
      :has_access_query"
  );
  // check if app password has protocol access
-  // skip if protocol is false and the call is not external
-  $has_access_query = '';
-  if (!$is_internal || ($is_internal && !empty($protocol))){
-    $has_access_query = " AND `app_passwd`.`" . $protocol . "_access` = '1'";
-  }
+  // skip if protocol is false and the call is internal
+  $has_access_query = ($is_internal && $protocol === false) ? "" : " AND `app_passwd`.`" . $protocol . "_access` = '1'";
  // fetch password data
  $stmt->execute(array(
    ':user' => $user,
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -896,7 +896,7 @@ function edit_user_account($_data) {
  }
  $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `username` = :user");
+        AND `username` = :user AND authsource = 'mailcow'");
  $stmt->execute(array(':user' => $username));
  $row = $stmt->fetch(PDO::FETCH_ASSOC);
  if (!verify_hash($row['password'], $password_old)) {
@@ -917,7 +917,7 @@ function edit_user_account($_data) {
    $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed,
      `attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'),
      `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-        WHERE `username` = :username");
+        WHERE `username` = :username AND authsource = 'mailcow'");
    $stmt->execute(array(
      ':password_hashed' => $password_hashed,
      ':username' => $username
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -3165,7 +3165,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
              $stmt = $pdo->prepare("UPDATE `mailbox` SET
                  `password` = :password_hashed,
                  `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-                    WHERE `username` = :username");
+                    WHERE `username` = :username AND authsource = 'mailcow'");
              $stmt->execute(array(
                ':password_hashed' => $password_hashed,
                ':username' => $username
--- a/data/web/templates/user/tab-user-auth.twig
+++ b/data/web/templates/user/tab-user-auth.twig
@@ -97,6 +97,7 @@
          </div>

          {# TFA #}
+          {% if mailboxdata.authsource == "mailcow" %}
          <legend class="mt-4">{{ lang.user.authentication }}</legend>
          <hr>
          <div class="row">
@@ -170,6 +171,7 @@
            </div>
            <br>
          </div>
+          {% endif %}
        </div>
        <div class="ms-auto col-xl-3 col-lg-5 col-md-12 col-12 d-flex flex-column well flex-grow-1">
          <legend class="d-flex">