From 0aa5eca1fdd72117a3de2764458ba9288dba0b46 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 8 Dec 2019 11:36:45 +0100
Subject: [PATCH] Fix bug where 'skins_allowed' option didn't enforce user skin
 preference (#7080)

---
 CHANGELOG                              | 1 +
 config/defaults.inc.php                | 5 +++--
 program/include/rcmail_output_html.php | 6 ++++++
 program/lib/Roundcube/rcube_config.php | 6 ++++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 58393edb4..2d627e05e 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -23,6 +23,7 @@ CHANGELOG Roundcube Webmail
 - Fix bug where HTML reply could add an empty line with extra indentation above the original message (#7088)
 - Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107)
 - Fix so displayed maximum attachment size depends also on 'max_message_size' (#7105)
+- Fix bug where 'skins_allowed' option didn't enforce user skin preference (#7080)
 
 RELEASE 1.4.1
 -------------
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index 5ded7abf7..34fecd0b3 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -1081,10 +1081,11 @@ $config['contact_search_name'] = '{name} <{email}>';
 // Use this charset as fallback for message decoding
 $config['default_charset'] = 'ISO-8859-1';
 
-// skin name: folder from skins/
+// Skin name: folder from skins/
 $config['skin'] = 'elastic';
 
-// limit skins available/shown in the settings section
+// Limit skins available for the user.
+// Note: When not empty, it should include the default skin set in 'skin' option.
 $config['skins_allowed'] = array();
 
 // Enables using standard browser windows (that can be handled as tabs)
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 891a64d84..0552b89c2 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -312,6 +312,12 @@ EOF;
             return false;
         }
 
+        $skins_allowed = $this->config->get('skins_allowed');
+
+        if (!empty($skins_allowed) && !in_array($skin, (array) $skins_allowed)) {
+            return false;
+        }
+
         $path = RCUBE_INSTALL_PATH . 'skins/';
 
         return !empty($skin) && is_dir($path . $skin) && is_readable($path . $skin);
diff --git a/program/lib/Roundcube/rcube_config.php b/program/lib/Roundcube/rcube_config.php
index f46fd1580..5226ac32a 100644
--- a/program/lib/Roundcube/rcube_config.php
+++ b/program/lib/Roundcube/rcube_config.php
@@ -455,6 +455,12 @@ class rcube_config
             $prefs['skin'] = self::DEFAULT_SKIN;
         }
 
+        $skins_allowed = $this->get('skins_allowed');
+
+        if (!empty($prefs['skin']) && !empty($skins_allowed) && !in_array($prefs['skin'], (array) $skins_allowed)) {
+            unset($prefs['skin']);
+        }
+
         $this->userprefs = $prefs;
         $this->prop      = array_merge($this->prop, $prefs);
     }