Password: Fix bug where new users could skip forced password change (#6434)

6 years ago · b7d51573e4
parent c28242f63c
commit b7d51573e4
3 changed files with 18 additions and 3 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@ CHANGELOG Roundcube Webmail
 - Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
 - Password: Added 'modoboa' driver (#6361)
 - Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)
+- Password: Fix bug where new users could skip forced password change (#6434)
 - Elastic: Improved UX of search dialogs (#6416)
 - Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445)
 - Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433)
--- a/plugins/password/composer.json
+++ b/plugins/password/composer.json
@ -3,7 +3,7 @@
    "type": "roundcube-plugin",
    "description": "Password Change for Roundcube. Plugin adds a possibility to change user password using many methods (drivers) via Settings/Password tab.",
    "license": "GPLv3+",
-    "version": "4.4",
+    "version": "4.5",
    "authors": [
        {
            "name": "Aleksander Machniak",
--- a/plugins/password/password.php
+++ b/plugins/password/password.php
@ -41,7 +41,7 @@ define('PASSWORD_SUCCESS', 0);
 */
 class password extends rcube_plugin
 {
-    public $task    = 'settings|login';
+    public $task    = '?(?!logout).*';
    public $noframe = true;
    public $noajax  = true;

@ -65,7 +65,14 @@ class password extends rcube_plugin
            $this->register_action('plugin.password', array($this, 'password_init'));
            $this->register_action('plugin.password-save', array($this, 'password_save'));
        }
-        else if ($rcmail->config->get('password_force_new_user')) {
+
+        if ($rcmail->config->get('password_force_new_user')) {
+            if ($rcmail->config->get('newuserpassword') && $this->check_host_login_exceptions()) {
+                if (!($rcmail->task == 'settings' && strpos($rcmail->action, 'plugin.password') === 0)) {
+                    $rcmail->output->command('redirect', '?_task=settings&_action=plugin.password&_first=1', false);
+                }
+            }
+
            $this->add_hook('user_create', array($this, 'user_create'));
            $this->add_hook('login_after', array($this, 'login_after'));
        }
@ -179,6 +186,10 @@ class password extends rcube_plugin
                // Reset session password
                $_SESSION['password'] = $rcmail->encrypt($plugin['new_pass']);

+                if ($rcmail->config->get('newuserpassword')) {
+                    $rcmail->user->save_prefs(array('newuserpassword' => false));
+                }
+
                // Log password change
                if ($rcmail->config->get('password_log')) {
                    rcube::write_log('password', sprintf('Password changed for user %s (ID: %d) from %s',
@ -375,6 +386,9 @@ class password extends rcube_plugin
    function login_after($args)
    {
        if ($this->newuser && $this->check_host_login_exceptions()) {
+            $rcmail = rcmail::get_instance();
+            $rcmail->user->save_prefs(array('newuserpassword' => true));
+
            $args['_task']   = 'settings';
            $args['_action'] = 'plugin.password';
            $args['_first']  = 'true';