[Web] improve error handling for user password resets

data/web/inc/functions.inc.php

@@ -1137,7 +1137,7 @@ function edit_user_account($_data) {
       );
       return false;
     }
-    
+
     $pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email;
     $stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email)
       WHERE `username` = :username");
@@ -2329,6 +2329,17 @@ function reset_password($action, $data = null) {
         return false;
       }
 
+      $pw_reset_notification = reset_password('get_notification', 'raw');
+      if (!$pw_reset_notification) return false;
+      if (empty($pw_reset_notification['from']) || empty($pw_reset_notification['subject'])) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'password_reset_na'
+        );
+        return false;
+      }
+
       $stmt = $pdo->prepare("SELECT * FROM `mailbox`
         WHERE `username` = :username");
       $stmt->execute(array(':username' => $username));
@@ -2381,9 +2392,6 @@ function reset_password($action, $data = null) {
         ':token' => $token
       ));
 
-      $pw_reset_notification = reset_password('get_notification', 'raw');
-      if (!$pw_reset_notification) return false;
-
       $reset_link = getBaseURL() . "/reset-password?token=" . $token;
 
       $request_date = new DateTime();
@@ -2633,30 +2641,10 @@ function reset_password($action, $data = null) {
       $subject = $data['subject'];
       $from = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $data['from']);
 
-      if (filter_var($from, FILTER_VALIDATE_EMAIL) === false) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $action, $_data_log),
-          'msg' => '???'
-        );
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
-
+      $from = (!filter_var($from, FILTER_VALIDATE_EMAIL)) ? "" : $from;
+      $subject = (empty($subject)) ? "" : $subject;
       $text = (empty($data['text_tmpl'])) ? "" : $data['text_tmpl'];
       $html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl'];
-      if (empty($text) && empty($html)) {
-        $_SESSION['return'][] = array(
-          'type' => 'danger',
-          'log' => array(__FUNCTION__, $action, $_data_log),
-          'msg' => 'access_denied'
-        );
-        return false;
-      }
 
       try {
         $redis->Set('PW_RESET_FROM', $from);

data/web/lang/lang.de-de.json

@@ -446,6 +446,7 @@
         "password_empty": "Passwort darf nicht leer sein",
         "password_mismatch": "Passwort-Wiederholung stimmt nicht überein",
         "password_reset_invalid_user": "Benutzer nicht gefunden oder keine E-Mail-Adresse zur Wiederherstellung eingerichtet",
+        "password_reset_na": "Die Passwortwiederherstellung ist momentan nicht verfügbar. Bitte wenden Sie sich an Ihren Administrator.",
         "policy_list_from_exists": "Ein Eintrag mit diesem Wert existiert bereits",
         "policy_list_from_invalid": "Eintrag hat ein ungültiges Format",
         "private_key_error": "Schlüsselfehler: %s",

data/web/lang/lang.en-gb.json

@@ -446,6 +446,7 @@
         "password_empty": "Password must not be empty",
         "password_mismatch": "Confirmation password does not match",
         "password_reset_invalid_user": "Mailbox not found or no recovery email is set",
+        "password_reset_na": "The password recovery is currently unavailable. Please contact your administrator.",
         "policy_list_from_exists": "A record with given name exists",
         "policy_list_from_invalid": "Record has invalid format",
         "private_key_error": "Private key error: %s",

data/web/templates/admin/tab-config-password-settings.twig

@@ -57,14 +57,14 @@
         <div class="row mb-4">
           <div class="col-sm-6">
             <div>
-              <label for="quota_notification_sender">{{ lang.admin.quota_notification_sender }}:</label>
-              <input type="email" class="form-control" id="quota_notification_sender" name="from" value="{{ pw_reset_data.from }}" placeholder="quota-warning@localhost">
+              <label for="pw_reset_from">{{ lang.admin.quota_notification_sender }}:</label>
+              <input type="email" class="form-control" id="pw_reset_from" name="from" value="{{ pw_reset_data.from }}">
             </div>
           </div>
           <div class="col-sm-6">
             <div>
-              <label for="quota_notification_subject">{{ lang.admin.quota_notification_subject }}:</label>
-              <input type="text" class="form-control" id="quota_notification_subject" name="subject" value="{{ pw_reset_data.subject }}" placeholder="Quota warning">
+              <label for="pw_reset_subject">{{ lang.admin.quota_notification_subject }}:</label>
+              <input type="text" class="form-control" id="pw_reset_subject" name="subject" value="{{ pw_reset_data.subject }}">
             </div>
           </div>
         </div>