瀏覽代碼

Merge pull request #6487 from mailcow/fix/6469

[Web] Fix force password update at next login
FreddleSpl0it 5 月之前
父節點
當前提交
7d3ef3d67f
共有 4 個文件被更改,包括 25 次插入3 次删除
  1. 14 0
      data/web/inc/functions.auth.inc.php
  2. 1 0
      data/web/inc/functions.inc.php
  3. 8 2
      data/web/inc/triggers.user.inc.php
  4. 2 1
      data/web/sogo-auth.php

+ 14 - 0
data/web/inc/functions.auth.inc.php

@@ -242,6 +242,7 @@ function user_login($user, $pass, $extra = null){
     return false;
     return false;
   }
   }
 
 
+  $row['attributes'] = json_decode($row['attributes'], true);
   switch ($row['authsource']) {
   switch ($row['authsource']) {
     case 'keycloak':
     case 'keycloak':
       // user authsource is keycloak, try using via rest flow
       // user authsource is keycloak, try using via rest flow
@@ -261,6 +262,10 @@ function user_login($user, $pass, $extra = null){
             return false;
             return false;
           }
           }
 
 
+          if (intval($row['attributes']['force_pw_update']) == 1) {
+            $_SESSION['pending_pw_update'] = true;
+          }
+
           // check for tfa authenticators
           // check for tfa authenticators
           $authenticators = get_tfa($user);
           $authenticators = get_tfa($user);
           if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
           if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -313,6 +318,10 @@ function user_login($user, $pass, $extra = null){
           return false;
           return false;
         }
         }
 
 
+        if (intval($row['attributes']['force_pw_update']) == 1) {
+          $_SESSION['pending_pw_update'] = true;
+        }
+
         // check for tfa authenticators
         // check for tfa authenticators
         $authenticators = get_tfa($user);
         $authenticators = get_tfa($user);
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
@@ -351,6 +360,11 @@ function user_login($user, $pass, $extra = null){
       }
       }
       // verify password
       // verify password
       if (verify_hash($row['password'], $pass) !== false) {
       if (verify_hash($row['password'], $pass) !== false) {
+
+        if (intval($row['attributes']['force_pw_update']) == 1) {
+          $_SESSION['pending_pw_update'] = true;
+        }
+
         // check for tfa authenticators
         // check for tfa authenticators
         $authenticators = get_tfa($user);
         $authenticators = get_tfa($user);
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
         if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {

+ 1 - 0
data/web/inc/functions.inc.php

@@ -1001,6 +1001,7 @@ function edit_user_account($_data) {
       ':password_hashed' => $password_hashed,
       ':password_hashed' => $password_hashed,
       ':username' => $username
       ':username' => $username
     ));
     ));
+    $_SESSION['pending_pw_update'] = false;
 
 
     update_sogo_static_view();
     update_sogo_static_view();
   }
   }

+ 8 - 2
data/web/inc/triggers.user.inc.php

@@ -76,7 +76,10 @@ if (isset($_POST["verify_tfa_login"])) {
 
 
         $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
         $user_details = mailbox("get", "mailbox_details", $_SESSION['mailcow_cc_username']);
         $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
         $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-        if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") {
+        if (intval($user_details['attributes']['sogo_access']) == 1 &&
+            intval($user_details['attributes']['force_pw_update']) != 1 &&
+            getenv('SKIP_SOGO') != "y" &&
+            !$is_dual) {
           header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
           header("Location: /SOGo/so/{$_SESSION['mailcow_cc_username']}");
           die();
           die();
         } else {
         } else {
@@ -139,7 +142,10 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
 
 
     $user_details = mailbox("get", "mailbox_details", $login_user);
     $user_details = mailbox("get", "mailbox_details", $login_user);
     $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
     $is_dual = (!empty($_SESSION["dual-login"]["username"])) ? true : false;
-    if (intval($user_details['attributes']['sogo_access']) == 1 && !$is_dual && getenv('SKIP_SOGO') != "y") {
+    if (intval($user_details['attributes']['sogo_access']) == 1 &&
+        intval($user_details['attributes']['force_pw_update']) != 1 &&
+        getenv('SKIP_SOGO') != "y" &&
+        !$is_dual) {
       header("Location: /SOGo/so/{$login_user}");
       header("Location: /SOGo/so/{$login_user}");
       die();
       die();
     } else {
     } else {

+ 2 - 1
data/web/sogo-auth.php

@@ -94,7 +94,8 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
         !empty($email) &&
         !empty($email) &&
         filter_var($email, FILTER_VALIDATE_EMAIL) &&
         filter_var($email, FILTER_VALIDATE_EMAIL) &&
         is_array($_SESSION[$session_var_user_allowed]) &&
         is_array($_SESSION[$session_var_user_allowed]) &&
-        in_array($email, $_SESSION[$session_var_user_allowed])
+        in_array($email, $_SESSION[$session_var_user_allowed]) &&
+        !$_SESSION['pending_pw_update']
     ) {
     ) {
       $username = $email;
       $username = $email;
       $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
       $password = file_get_contents("/etc/sogo-sso/sogo-sso.pass");