sharpetronics/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-10-07 00:11:27 -04:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6487 from mailcow/fix/6469

Browse Source 
[Web] Fix force password update at next login
This commit is contained in:
FreddleSpl0it 2025-05-08 14:04:56 +02:00 committed by GitHub
commit 7d3ef3d67f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
data/web/inc/functions.auth.inc.php
View File

@ -242,6 +242,7 @@ function user_login($user, $pass, $extra = null){
return false; return false;
} }
$row['attributes'] = json_decode($row['attributes'], true);
switch ($row['authsource']) { switch ($row['authsource']) {
case 'keycloak': case 'keycloak':
// user authsource is keycloak, try using via rest flow // user authsource is keycloak, try using via rest flow
@ -261,6 +262,10 @@ function user_login($user, $pass, $extra = null){
return false; return false;
} }
if (intval($row['attributes']['force_pw_update']) == 1) {
$_SESSION['pending_pw_update'] = true;
}
// check for tfa authenticators // check for tfa authenticators
$authenticators = get_tfa($user); $authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) { if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@ -313,6 +318,10 @@ function user_login($user, $pass, $extra = null){
return false; return false;
} }
if (intval($row['attributes']['force_pw_update']) == 1) {
$_SESSION['pending_pw_update'] = true;
}
// check for tfa authenticators // check for tfa authenticators
$authenticators = get_tfa($user); $authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) { if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@ -351,6 +360,11 @@ function user_login($user, $pass, $extra = null){
} }
// verify password // verify password
if (verify_hash($row['password'], $pass) !== false) { if (verify_hash($row['password'], $pass) !== false) {
if (intval($row['attributes']['force_pw_update']) == 1) {
$_SESSION['pending_pw_update'] = true;
}
// check for tfa authenticators // check for tfa authenticators
$authenticators = get_tfa($user); $authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) { if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {

1
data/web/inc/functions.inc.php
View File

@ -1001,6 +1001,7 @@ function edit_user_account($_data) {
':password_hashed' => $password_hashed, ':password_hashed' => $password_hashed,
':username' => $username ':username' => $username
)); ));
$_SESSION['pending_pw_update'] = false;
update_sogo_static_view(); update_sogo_static_view();
} }

10
data/web/inc/triggers.user.inc.php
View File

@ -76,7 +76,10 @@ if (isset($_POST["verify_tfa_login"])) {
$user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']); $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") { if (intval($user_details['attributes']['sogo_access']) == 1 &&
intval($user_details['attributes']['force_pw_update']) != 1 &&
getenv('SKIP_SOGO') != "y" &&
!$is_dual) {
header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}"); header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
die(); die();
} else { } else {
@ -139,7 +142,10 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
$user_details = mailbox("get", "mailbox_details", $login_user); $user_details = mailbox("get", "mailbox_details", $login_user);
$is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false; $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") { if (intval($user_details['attributes']['sogo_access']) == 1 &&
intval($user_details['attributes']['force_pw_update']) != 1 &&
getenv('SKIP_SOGO') != "y" &&
!$is_dual) {
header("Location: /SOGo/so/{$login_user}"); header("Location: /SOGo/so/{$login_user}");
die(); die();
} else { } else {

3
data/web/sogo-auth.php
View File

@ -94,7 +94,8 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
!empty($email) && !empty($email) &&
filter_var($email, FILTER_VALIDATE_EMAIL) && filter_var($email, FILTER_VALIDATE_EMAIL) &&
is_array($_SESSION[$session_var_user_allowed]) && is_array($_SESSION[$session_var_user_allowed]) &&
in_array($email, $_SESSION[$session_var_user_allowed]) in_array($email, $_SESSION[$session_var_user_allowed]) &&
!$_SESSION['pending_pw_update']
) { ) {
$username = $email; $username = $email;
$password = file_get_contents("/etc/sogo-sso/sogo-sso.pass"); $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");