[Web] hide auth settings for external users

data/web/inc/functions.auth.inc.php

@@ -235,8 +235,11 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
     $protocol = 'sieve';
   } else if ($app_passwd_data['pop3']){
     $protocol = 'pop3';
+  } else if (!$is_internal) {
+    return false;
   }
 
+
   // fetch app password data
   $stmt = $pdo->prepare("SELECT `app_passwd`.`password` as `password`, `app_passwd`.`id` as `app_passwd_id` FROM `app_passwd`
     INNER JOIN `mailbox` ON `mailbox`.`username` = `app_passwd`.`mailbox`
@@ -249,11 +252,8 @@ function mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal
       :has_access_query"
   );
   // check if app password has protocol access
-  // skip if protocol is false and the call is not external
-  $has_access_query = '';
-  if (!$is_internal || ($is_internal && !empty($protocol))){
-    $has_access_query = " AND `app_passwd`.`" . $protocol . "_access` = '1'";
-  }
+  // skip if protocol is false and the call is internal
+  $has_access_query = ($is_internal && $protocol === false) ? "" : " AND `app_passwd`.`" . $protocol . "_access` = '1'";
   // fetch password data
   $stmt->execute(array(
     ':user' => $user,

data/web/inc/functions.inc.php

@@ -896,7 +896,7 @@ function edit_user_account($_data) {
   }
   $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
       WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `username` = :user");
+        AND `username` = :user AND authsource = 'mailcow'");
   $stmt->execute(array(':user' => $username));
   $row = $stmt->fetch(PDO::FETCH_ASSOC);
   if (!verify_hash($row['password'], $password_old)) {
@@ -917,7 +917,7 @@ function edit_user_account($_data) {
     $stmt = $pdo->prepare("UPDATE `mailbox` SET `password` = :password_hashed,
       `attributes` = JSON_SET(`attributes`, '$.force_pw_update', '0'),
       `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-        WHERE `username` = :username");
+        WHERE `username` = :username AND authsource = 'mailcow'");
     $stmt->execute(array(
       ':password_hashed' => $password_hashed,
       ':username' => $username

data/web/inc/functions.mailbox.inc.php

@@ -3165,7 +3165,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $stmt = $pdo->prepare("UPDATE `mailbox` SET
                   `password` = :password_hashed,
                   `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
-                    WHERE `username` = :username");
+                    WHERE `username` = :username AND authsource = 'mailcow'");
               $stmt->execute(array(
                 ':password_hashed' => $password_hashed,
                 ':username' => $username

data/web/templates/user/tab-user-auth.twig

@@ -97,6 +97,7 @@
           </div>
 
           {# TFA #}
+          {% if mailboxdata.authsource == "mailcow" %}
           <legend class="mt-4">{{ lang.user.authentication }}</legend>
           <hr>
           <div class="row">
@@ -170,6 +171,7 @@
             </div>
             <br>
           </div>
+          {% endif %}
         </div>
         <div class="ms-auto col-xl-3 col-lg-5 col-md-12 col-12 d-flex flex-column well flex-grow-1">
           <legend class="d-flex">