self-hosted/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-10-30 23:57:54 +02:00
Code Issues Releases Activity

Merge pull request #6836 from mailcow/fix/6802

Browse Source 
[Web] Add password verification when setting recovery email
This commit is contained in:
FreddleSpl0it
2025-10-13 12:10:57 +02:00
committed by GitHub
parent 653fc40d4c b85837c803
commit f6eed6c441
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
data/web/inc/functions.inc.php
View File

@@ -1006,7 +1006,7 @@ function edit_user_account($_data) {
update_sogo_static_view();
}
// edit password recovery email
elseif (isset($pw_recovery_email)) {
elseif (!empty($password_old) && isset($pw_recovery_email)) {
if (!isset($_SESSION['acl']['pw_reset']) || $_SESSION['acl']['pw_reset'] != "1" ) {
$_SESSION['return'][] = array(
'type' => 'danger',
@@ -1016,6 +1016,21 @@ function edit_user_account($_data) {
return false;
}
$stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
WHERE `kind` NOT REGEXP 'location|thing|group'
AND `username` = :user AND authsource = 'mailcow'");
$stmt->execute(array(':user' => $username));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (!verify_hash($row['password'], $password_old)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $_data_log),
'msg' => 'access_denied'
);
return false;
}
$pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email;
$stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email)
WHERE `username` = :username AND authsource = 'mailcow'");

6
data/web/templates/modals/user.twig
View File

@@ -326,6 +326,12 @@
<small class="text-muted">{{ lang.user.password_reset_info }}</small>
</div>
</div>
<div class="row mb-4">
<label class="control-label col-sm-3" for="user_old_pass">{{ lang.user.password_now }}</label>
<div class="col-sm-9">
<input type="password" class="form-control" name="user_old_pass" autocomplete="off" required>
</div>
</div>
<div class="row">
<div class="offset-sm-3 col-sm-9">
<button class="btn btn-xs-lg d-block d-sm-inline btn-success" data-action="edit_selected" data-id="pw_recovery_change" data-item="null" data-api-url='edit/self' data-api-attr='{}' href="#">{{ lang.user.save }}</button>