Gnous/mailcow
2
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

[Web] improve error handling for user password resets

Browse Source
This commit is contained in:
FreddleSpl0it 2024-07-31 09:22:52 +02:00
parent 2208d7e6fb
commit c37bf0bb32
No known key found for this signature in database
GPG Key ID: 00E14E7634F4BEC5
4 changed files with 20 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
data/web/inc/functions.inc.php
View File

@ -2329,6 +2329,17 @@ function reset_password($action, $data = null) {
return false; return false;
} }
$pw_reset_notification = reset_password('get_notification', 'raw');
if (!$pw_reset_notification) return false;
if (empty($pw_reset_notification['from']) || empty($pw_reset_notification['subject'])) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $action, $_data_log),
'msg' => 'password_reset_na'
);
return false;
}
$stmt = $pdo->prepare("SELECT * FROM `mailbox` $stmt = $pdo->prepare("SELECT * FROM `mailbox`
WHERE `username` = :username"); WHERE `username` = :username");
$stmt->execute(array(':username' => $username)); $stmt->execute(array(':username' => $username));
@ -2381,9 +2392,6 @@ function reset_password($action, $data = null) {
':token' => $token ':token' => $token
)); ));
$pw_reset_notification = reset_password('get_notification', 'raw');
if (!$pw_reset_notification) return false;
$reset_link = getBaseURL() . "/reset-password?token=" . $token; $reset_link = getBaseURL() . "/reset-password?token=" . $token;
$request_date = new DateTime(); $request_date = new DateTime();
@ -2633,30 +2641,10 @@ function reset_password($action, $data = null) {
$subject = $data['subject']; $subject = $data['subject'];
$from = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $data['from']); $from = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $data['from']);
if (filter_var($from, FILTER_VALIDATE_EMAIL) === false) { $from = (!filter_var($from, FILTER_VALIDATE_EMAIL)) ? "" : $from;
$_SESSION['return'][] = array( $subject = (empty($subject)) ? "" : $subject;
'type' => 'danger',
'log' => array(__FUNCTION__, $action, $_data_log),
'msg' => '???'
);
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $action, $_data_log),
'msg' => 'access_denied'
);
return false;
}
$text = (empty($data['text_tmpl'])) ? "" : $data['text_tmpl']; $text = (empty($data['text_tmpl'])) ? "" : $data['text_tmpl'];
$html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl']; $html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl'];
if (empty($text) && empty($html)) {
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $action, $_data_log),
'msg' => 'access_denied'
);
return false;
}
try { try {
$redis->Set('PW_RESET_FROM', $from); $redis->Set('PW_RESET_FROM', $from);

1
data/web/lang/lang.de-de.json
View File

@ -446,6 +446,7 @@
"password_empty": "Passwort darf nicht leer sein", "password_empty": "Passwort darf nicht leer sein",
"password_mismatch": "Passwort-Wiederholung stimmt nicht überein", "password_mismatch": "Passwort-Wiederholung stimmt nicht überein",
"password_reset_invalid_user": "Benutzer nicht gefunden oder keine E-Mail-Adresse zur Wiederherstellung eingerichtet", "password_reset_invalid_user": "Benutzer nicht gefunden oder keine E-Mail-Adresse zur Wiederherstellung eingerichtet",
"password_reset_na": "Die Passwortwiederherstellung ist momentan nicht verfügbar. Bitte wenden Sie sich an Ihren Administrator.",
"policy_list_from_exists": "Ein Eintrag mit diesem Wert existiert bereits", "policy_list_from_exists": "Ein Eintrag mit diesem Wert existiert bereits",
"policy_list_from_invalid": "Eintrag hat ein ungültiges Format", "policy_list_from_invalid": "Eintrag hat ein ungültiges Format",
"private_key_error": "Schlüsselfehler: %s", "private_key_error": "Schlüsselfehler: %s",

1
data/web/lang/lang.en-gb.json
View File

@ -446,6 +446,7 @@
"password_empty": "Password must not be empty", "password_empty": "Password must not be empty",
"password_mismatch": "Confirmation password does not match", "password_mismatch": "Confirmation password does not match",
"password_reset_invalid_user": "Mailbox not found or no recovery email is set", "password_reset_invalid_user": "Mailbox not found or no recovery email is set",
"password_reset_na": "The password recovery is currently unavailable. Please contact your administrator.",
"policy_list_from_exists": "A record with given name exists", "policy_list_from_exists": "A record with given name exists",
"policy_list_from_invalid": "Record has invalid format", "policy_list_from_invalid": "Record has invalid format",
"private_key_error": "Private key error: %s", "private_key_error": "Private key error: %s",

8
data/web/templates/admin/tab-config-password-settings.twig
View File

@ -57,14 +57,14 @@
<div class="row mb-4"> <div class="row mb-4">
<div class="col-sm-6"> <div class="col-sm-6">
<div> <div>
<label for="quota_notification_sender">{{ lang.admin.quota_notification_sender }}:</label> <label for="pw_reset_from">{{ lang.admin.quota_notification_sender }}:</label>
<input type="email" class="form-control" id="quota_notification_sender" name="from" value="{{ pw_reset_data.from }}" placeholder="quota-warning@localhost"> <input type="email" class="form-control" id="pw_reset_from" name="from" value="{{ pw_reset_data.from }}">
</div> </div>
</div> </div>
<div class="col-sm-6"> <div class="col-sm-6">
<div> <div>
<label for="quota_notification_subject">{{ lang.admin.quota_notification_subject }}:</label> <label for="pw_reset_subject">{{ lang.admin.quota_notification_subject }}:</label>
<input type="text" class="form-control" id="quota_notification_subject" name="subject" value="{{ pw_reset_data.subject }}" placeholder="Quota warning"> <input type="text" class="form-control" id="pw_reset_subject" name="subject" value="{{ pw_reset_data.subject }}">
</div> </div>
</div> </div>
</div> </div>