[Web] Add password verification when setting recovery email

2025-12-13 01:45:59 +00:00 · 2025-10-13 12:05:17 +02:00
parent 653fc40d4c
commit b85837c803
2 changed files with 22 additions and 1 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -1006,7 +1006,7 @@ function edit_user_account($_data) {
    update_sogo_static_view();
  }
  // edit password recovery email
-  elseif (isset($pw_recovery_email)) {
+  elseif (!empty($password_old) && isset($pw_recovery_email)) {
    if (!isset($_SESSION['acl']['pw_reset']) || $_SESSION['acl']['pw_reset'] != "1" ) {
      $_SESSION['return'][] = array(
        'type' => 'danger',
@@ -1016,6 +1016,21 @@ function edit_user_account($_data) {
      return false;
    }

+    $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
+        WHERE `kind` NOT REGEXP 'location|thing|group'
+          AND `username` = :user AND authsource = 'mailcow'");
+    $stmt->execute(array(':user' => $username));
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);
+
+    if (!verify_hash($row['password'], $password_old)) {
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $_data_log),
+        'msg' => 'access_denied'
+      );
+      return false;
+    }
+
    $pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email;
    $stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email)
      WHERE `username` = :username AND authsource = 'mailcow'");
--- a/data/web/templates/modals/user.twig
+++ b/data/web/templates/modals/user.twig
@@ -326,6 +326,12 @@
              <small class="text-muted">{{ lang.user.password_reset_info }}</small>
            </div>
          </div>
+          <div class="row mb-4">
+            <label class="control-label col-sm-3" for="user_old_pass">{{ lang.user.password_now }}</label>
+            <div class="col-sm-9">
+              <input type="password" class="form-control" name="user_old_pass" autocomplete="off" required>
+            </div>
+          </div>
          <div class="row">
            <div class="offset-sm-3 col-sm-9">
              <button class="btn btn-xs-lg d-block d-sm-inline btn-success" data-action="edit_selected" data-id="pw_recovery_change" data-item="null" data-api-url='edit/self' data-api-attr='{}' href="#">{{ lang.user.save }}</button>