|
|
@@ -1006,7 +1006,7 @@ function edit_user_account($_data) {
|
|
|
update_sogo_static_view();
|
|
|
}
|
|
|
// edit password recovery email
|
|
|
- elseif (isset($pw_recovery_email)) {
|
|
|
+ elseif (!empty($password_old) && isset($pw_recovery_email)) {
|
|
|
if (!isset($_SESSION['acl']['pw_reset']) || $_SESSION['acl']['pw_reset'] != "1" ) {
|
|
|
$_SESSION['return'][] = array(
|
|
|
'type' => 'danger',
|
|
|
@@ -1016,6 +1016,21 @@ function edit_user_account($_data) {
|
|
|
return false;
|
|
|
}
|
|
|
|
|
|
+ $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
|
|
|
+ WHERE `kind` NOT REGEXP 'location|thing|group'
|
|
|
+ AND `username` = :user AND authsource = 'mailcow'");
|
|
|
+ $stmt->execute(array(':user' => $username));
|
|
|
+ $row = $stmt->fetch(PDO::FETCH_ASSOC);
|
|
|
+
|
|
|
+ if (!verify_hash($row['password'], $password_old)) {
|
|
|
+ $_SESSION['return'][] = array(
|
|
|
+ 'type' => 'danger',
|
|
|
+ 'log' => array(__FUNCTION__, $_data_log),
|
|
|
+ 'msg' => 'access_denied'
|
|
|
+ );
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
$pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email;
|
|
|
$stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email)
|
|
|
WHERE `username` = :username AND authsource = 'mailcow'");
|
FreddleSpl0it