From c37bf0bb32aa58266d75ca84ac8f8f36f93d0939 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Wed, 31 Jul 2024 09:22:52 +0200 Subject: [PATCH] [Web] improve error handling for user password resets --- data/web/inc/functions.inc.php | 40 +++++++------------ data/web/lang/lang.de-de.json | 1 + data/web/lang/lang.en-gb.json | 1 + .../admin/tab-config-password-settings.twig | 8 ++-- 4 files changed, 20 insertions(+), 30 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index af74d140..562af71d 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -1137,7 +1137,7 @@ function edit_user_account($_data) { ); return false; } - + $pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email; $stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email) WHERE `username` = :username"); @@ -2329,6 +2329,17 @@ function reset_password($action, $data = null) { return false; } + $pw_reset_notification = reset_password('get_notification', 'raw'); + if (!$pw_reset_notification) return false; + if (empty($pw_reset_notification['from']) || empty($pw_reset_notification['subject'])) { + $_SESSION['return'][] = array( + 'type' => 'danger', + 'log' => array(__FUNCTION__, $action, $_data_log), + 'msg' => 'password_reset_na' + ); + return false; + } + $stmt = $pdo->prepare("SELECT * FROM `mailbox` WHERE `username` = :username"); $stmt->execute(array(':username' => $username)); @@ -2381,9 +2392,6 @@ function reset_password($action, $data = null) { ':token' => $token )); - $pw_reset_notification = reset_password('get_notification', 'raw'); - if (!$pw_reset_notification) return false; - $reset_link = getBaseURL() . "/reset-password?token=" . $token; $request_date = new DateTime(); @@ -2633,30 +2641,10 @@ function reset_password($action, $data = null) { $subject = $data['subject']; $from = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $data['from']); - if (filter_var($from, FILTER_VALIDATE_EMAIL) === false) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => '???' - ); - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } - + $from = (!filter_var($from, FILTER_VALIDATE_EMAIL)) ? "" : $from; + $subject = (empty($subject)) ? "" : $subject; $text = (empty($data['text_tmpl'])) ? "" : $data['text_tmpl']; $html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl']; - if (empty($text) && empty($html)) { - $_SESSION['return'][] = array( - 'type' => 'danger', - 'log' => array(__FUNCTION__, $action, $_data_log), - 'msg' => 'access_denied' - ); - return false; - } try { $redis->Set('PW_RESET_FROM', $from); diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json index a734e09c..189774ee 100644 --- a/data/web/lang/lang.de-de.json +++ b/data/web/lang/lang.de-de.json @@ -446,6 +446,7 @@ "password_empty": "Passwort darf nicht leer sein", "password_mismatch": "Passwort-Wiederholung stimmt nicht überein", "password_reset_invalid_user": "Benutzer nicht gefunden oder keine E-Mail-Adresse zur Wiederherstellung eingerichtet", + "password_reset_na": "Die Passwortwiederherstellung ist momentan nicht verfügbar. Bitte wenden Sie sich an Ihren Administrator.", "policy_list_from_exists": "Ein Eintrag mit diesem Wert existiert bereits", "policy_list_from_invalid": "Eintrag hat ein ungültiges Format", "private_key_error": "Schlüsselfehler: %s", diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json index 636c1ade..60044180 100644 --- a/data/web/lang/lang.en-gb.json +++ b/data/web/lang/lang.en-gb.json @@ -446,6 +446,7 @@ "password_empty": "Password must not be empty", "password_mismatch": "Confirmation password does not match", "password_reset_invalid_user": "Mailbox not found or no recovery email is set", + "password_reset_na": "The password recovery is currently unavailable. Please contact your administrator.", "policy_list_from_exists": "A record with given name exists", "policy_list_from_invalid": "Record has invalid format", "private_key_error": "Private key error: %s", diff --git a/data/web/templates/admin/tab-config-password-settings.twig b/data/web/templates/admin/tab-config-password-settings.twig index 6b2c494c..5998c638 100644 --- a/data/web/templates/admin/tab-config-password-settings.twig +++ b/data/web/templates/admin/tab-config-password-settings.twig @@ -57,14 +57,14 @@
- - + +
- - + +