Escape generated password in mobileconfig

Escape ampersand, less than, greater than to avoid generating invalid XML.

Fixes #7171

data/web/inc/functions.inc.php

@@ -1035,14 +1035,6 @@ function edit_user_account($_data) {
   // edit password
   $is_forced_pw_update = !empty($_SESSION['pending_pw_update']);
   if (((!empty($password_old) || $is_forced_pw_update) && !empty($_data['user_new_pass']) && !empty($_data['user_new_pass2']))) {
-    if (!$is_forced_pw_update && (!isset($_SESSION['acl']['pw_change']) || $_SESSION['acl']['pw_change'] != "1")) {
-      $_SESSION['return'][] = array(
-        'type' => 'danger',
-        'log' => array(__FUNCTION__, $_data_log),
-        'msg' => 'access_denied'
-      );
-      return false;
-    }
     // Only verify old password if this is NOT a forced password update
     if (!$is_forced_pw_update) {
       $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`

data/web/inc/functions.mailbox.inc.php

@@ -1331,7 +1331,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $_data['quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
             $_data['quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
             $_data['app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
-            $_data['pw_change'] = (in_array('pw_change', $_data['acl'])) ? 1 : 0;
             $_data['pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
           } else {
             $_data['spam_alias'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_spam_alias']);
@@ -1348,16 +1347,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $_data['quarantine_notification'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_notification']);
             $_data['quarantine_category'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_category']);
             $_data['app_passwds'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_app_passwds']);
-            $_data['pw_change'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_pw_change']);
             $_data['pw_reset'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_pw_reset']);
           }
 
           try {
             $stmt = $pdo->prepare("INSERT INTO `user_acl`
               (`username`, `spam_alias`, `tls_policy`, `spam_score`, `spam_policy`, `delimiter_action`, `syncjobs`, `eas_reset`, `sogo_profile_reset`,
-                `pushover`, `quarantine`, `quarantine_attachments`, `quarantine_notification`, `quarantine_category`, `app_passwds`, `pw_change`, `pw_reset`)
+                `pushover`, `quarantine`, `quarantine_attachments`, `quarantine_notification`, `quarantine_category`, `app_passwds`, `pw_reset`)
               VALUES (:username, :spam_alias, :tls_policy, :spam_score, :spam_policy, :delimiter_action, :syncjobs, :eas_reset, :sogo_profile_reset,
-                :pushover, :quarantine, :quarantine_attachments, :quarantine_notification, :quarantine_category, :app_passwds, :pw_change, :pw_reset) ");
+                :pushover, :quarantine, :quarantine_attachments, :quarantine_notification, :quarantine_category, :app_passwds, :pw_reset) ");
             $stmt->execute(array(
               ':username' => $username,
               ':spam_alias' => $_data['spam_alias'],
@@ -1374,7 +1372,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               ':quarantine_notification' => $_data['quarantine_notification'],
               ':quarantine_category' => $_data['quarantine_category'],
               ':app_passwds' => $_data['app_passwds'],
-              ':pw_change' => $_data['pw_change'],
               ':pw_reset' => $_data['pw_reset']
             ));
           }
@@ -1795,7 +1792,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $attr['acl_quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
             $attr['acl_quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
             $attr['acl_app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
-            $attr['acl_pw_change'] = (in_array('pw_change', $_data['acl'])) ? 1 : 0;
             $attr['acl_pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
           } else {
             $_data['acl'] = (array)$_data['acl'];
@@ -1813,7 +1809,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $attr['acl_quarantine_notification'] = 0;
             $attr['acl_quarantine_category'] = 0;
             $attr['acl_app_passwds'] = 0;
-            $attr['acl_pw_change'] = 0;
           }
 
 
@@ -3867,7 +3862,6 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $attr['acl_quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
               $attr['acl_quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
               $attr['acl_app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
-              $attr['acl_pw_change'] = (in_array('pw_change', $_data['acl'])) ? 1 : 0;
               $attr['acl_pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
             } else {
               foreach ($is_now as $key => $value){

data/web/inc/init_db.inc.php

@@ -4,7 +4,7 @@ function init_db_schema()
   try {
     global $pdo;
 
-    $db_version = "16042026_1402";
+    $db_version = "19022026_1220";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -513,7 +513,6 @@ function init_db_schema()
           "quarantine_notification" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "quarantine_category" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "app_passwds" => "TINYINT(1) NOT NULL DEFAULT '1'",
-          "pw_change" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "pw_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
         ),
         "keys" => array(
@@ -1479,7 +1478,6 @@ function init_db_schema()
         "acl_quarantine_notification" => 1,
         "acl_quarantine_category" => 1,
         "acl_app_passwds" => 1,
-        "acl_pw_change" => 1,
       )
     );
     $stmt = $pdo->prepare("SELECT id FROM `templates` WHERE `type` = :type AND `template` = :template");

data/web/js/site/mailbox.js

@@ -403,9 +403,6 @@ $(document).ready(function() {
     if (template.acl_app_passwds == 1){
       acl.push("app_passwds");
     }
-    if (template.acl_pw_change == 1){
-      acl.push("pw_change");
-    }
     if (template.acl_pw_reset == 1){
       acl.push("pw_reset");
     }

data/web/lang/lang.de-de.json

@@ -14,7 +14,6 @@
         "prohibited": "Untersagt durch Richtlinie",
         "protocol_access": "Ändern der erlaubten Protokolle",
         "pushover": "Pushover",
-        "pw_change": "Passwortänderung erlauben",
         "pw_reset": "Verwalten der E-Mail zur Passwortwiederherstellung erlauben",
         "quarantine": "Quarantäne-Aktionen",
         "quarantine_attachments": "Anhänge aus Quarantäne",

data/web/lang/lang.en-gb.json

@@ -14,7 +14,6 @@
         "prohibited": "Prohibited by ACL",
         "protocol_access": "Change protocol access",
         "pushover": "Pushover",
-        "pw_change": "Allow password change",
         "pw_reset": "Allow to reset mailcow user password",
         "quarantine": "Quarantine actions",
         "quarantine_attachments": "Quarantine attachments",

data/web/mobileconfig.php

@@ -65,6 +65,7 @@ if (isset($_GET['app_password'])) {
       $attr['protocols'][] = 'dav_access';
   }
   app_passwd("add", $attr);
+  $password = htmlspecialchars($password, ENT_NOQUOTES);
 } else {
   $app_password = false;
 }

data/web/templates/edit/mailbox-templates.twig

@@ -131,7 +131,6 @@
           <option value="quarantine_notification" {% if template.attributes.acl_quarantine_notification == '1' %} selected{% endif %}>{{ lang.acl["quarantine_notification"] }}</option>
           <option value="quarantine_category" {% if template.attributes.acl_quarantine_category == '1' %} selected{% endif %}>{{ lang.acl["quarantine_category"] }}</option>
           <option value="app_passwds" {% if template.attributes.acl_app_passwds == '1' %} selected{% endif %}>{{ lang.acl["app_passwds"] }}</option>
-          <option value="pw_change" {% if template.attributes.acl_pw_change == '1' %} selected{% endif %}>{{ lang.acl["pw_change"] }}</option>
           <option value="pw_reset" {% if template.attributes.acl_pw_reset == '1' %} selected{% endif %}>{{ lang.acl["pw_reset"] }}</option>
         </select>
       </div>

data/web/templates/modals/mailbox.twig

@@ -172,7 +172,6 @@
                   <option value="quarantine_notification" selected>{{ lang.acl["quarantine_notification"] }}</option>
                   <option value="quarantine_category" selected>{{ lang.acl["quarantine_category"] }}</option>
                   <option value="app_passwds" selected>{{ lang.acl["app_passwds"] }}</option>
-                  <option value="pw_change" selected>{{ lang.acl["pw_change"] }}</option>
                   <option value="pw_reset" selected>{{ lang.acl["pw_reset"] }}</option>
               </select>
             </div>

data/web/templates/user/tab-user-auth.twig

@@ -108,9 +108,7 @@
           <div class="row">
             <div class="col-12 col-md-3 d-flex"></div>
             <div class="col-12 col-md-9 d-flex flex-wrap">
-              {% if acl.pw_change == 1 %}
               <a class="btn btn-secondary" href="#pwChangeModal" data-bs-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.change_password }}</a>
-              {% endif %}
               {% if acl.pw_reset == 1 %}
               <a class="btn btn-secondary ms-4" href="#pwRecoveryEmailModal" data-bs-toggle="modal"><i class="bi bi-pencil-fill"></i> {{ lang.user.pw_recovery_email }}</a></p>
               {% endif %}