Password changing must be explicitly enabled now.

Push to 1.1

README.md

@@ -9,6 +9,10 @@ Enable it in your Admin -> Apps section and configure your server's details.
 Currently, it supports most of postfixadmin's encryption options, except dovecot and saslauthd.
 It was tested and developed for a postfixadmin database.
 
+Password changing is disabled by default, but can be enabled in the Admin area.
+Caution: user_sql does not recreate password salts, which imposes a security risk. 
+Password salts should be newly generated whenever the password changes.
+
 Credits
 
   * Johan Hendriks provided his user_postfixadmin

ajax/settings.php

@@ -14,7 +14,7 @@ $l = new OC_L10N('use_sql');
 $params = array('sql_host', 'sql_user', 'sql_database', 'sql_password', 
         'sql_table', 'sql_column_username', 'sql_column_password', 'sql_type', 
         'sql_column_active', 'strip_domain', 'default_domain', 'crypt_type', 
-        'sql_column_displayname', 'domain_settings', 'map_array', 'domain_array');
+        'sql_column_displayname', 'domain_settings', 'map_array', 'domain_array', 'allow_password_change');
 
 if(isset($_POST['appname']) && $_POST['appname'] == "user_sql")
 {
@@ -25,7 +25,12 @@ if(isset($_POST['appname']) && $_POST['appname'] == "user_sql")
             if($param === 'strip_domain')
             {
                 OCP\Config::setAppValue('user_sql', 'strip_domain', true);
-            } else
+            } 
+            elseif($param ==='allow_password_change')
+            {
+                OCP\Config::setAppValue('user_sql', 'allow_password_change', true);
+            }
+            else
             {
                 OCP\Config::setAppValue('user_sql', $param, $_POST[$param]);
             }
@@ -35,6 +40,10 @@ if(isset($_POST['appname']) && $_POST['appname'] == "user_sql")
             {
                 OCP\Config::setAppValue('user_sql', 'strip_domain', false);
             }
+            elseif($param === 'allow_password_change')
+            {
+                OCP\Config::setAppValue('user_sql', 'allow_password_change', false);
+            }
         }
     }
 } else

appinfo/version

@@ -1 +1 @@
-1.0
+1.1

settings.php

@@ -53,6 +53,7 @@ $tmpl -> assign('sql_column_displayname', OCP\Config::getAppValue('user_sql', 's
 $tmpl -> assign('map_array', OCP\Config::getAppValue('user_sql', 'map_array', ''));
 $tmpl -> assign('domain_array', OCP\Config::getAppValue('user_sql', 'domain_array', ''));
 $tmpl -> assign('domain_settings', OCP\Config::getAppValue('user_sql', 'domain_settings', ''));
+$tmpl -> assign('allow_password_change', OCP\Config::getAppValue('user_sql', 'allow_password_change', 0));
 // workaround to detect OC version
 $ocVersion = @reset(OCP\Util::getVersion());
 $tmpl -> assign('ocVersion', $ocVersion);

templates/settings.php

@@ -42,6 +42,10 @@ $cfgClass = $ocVersion >= 7 ? 'section' : 'personalblock';
         <table>
             <tr><td><label for="sql_column_username"><?php echo $l -> t('Username Column'); ?></label></td><td><input type="text" id="sql_column_username" name="sql_column_username" value="<?php echo $_['sql_column_username']; ?>" /></td></tr>
             <tr><td><label for="sql_column_password"><?php echo $l -> t('Password Column'); ?></label></td><td><input type="text" id="sql_column_password" name="sql_column_password" value="<?php echo $_['sql_column_password']; ?>" /></td></tr>
+            <tr><td><label for="sql_allow_password_change"><?php echo $l -> t('Allow password changing (read README!)'); ?></label></td><td><input type="checkbox" id="allow_password_change" name="allow_password_change" value="1"<?php
+            if($_['allow_password_change'])
+                echo ' checked';
+ ?> title="Allow changing passwords. Imposes a security risk as password salts are not recreated"></td></tr>
             <tr><td><label for="sql_column_displayname"><?php echo $l -> t('Real Name Column'); ?></label></td><td><input type="text" id="sql_column_displayname" name="sql_column_displayname" value="<?php echo $_['sql_column_displayname']; ?>" /></td></tr>
             <tr><td><label for="crypt_type"><?php echo $l -> t('Encryption Type'); ?></label></td>
                 <?php $crypt_types = array('md5' => 'MD5', 'md5crypt' => 'MD5 Crypt', 'cleartext' => 'Cleartext', 'mysql_encrypt' => 'mySQL ENCRYPT()', 'system' => 'System (crypt)', 'mysql_password' => 'mySQL PASSWORD()', 'joomla' => 'Joomla MD5 Encryption', 'joomla2' => 'Joomla > 2.5.18 phpass', 'ssha256' => 'Salted SSHA256'); ?>

user_sql.php

@@ -48,6 +48,7 @@ class OC_USER_SQL extends OC_User_Backend implements OC_User_Interface
     protected $domain_settings;
     protected $domain_array;
     protected $map_array;
+    protected $allow_password_change;
 
     public function __construct()
     {
@@ -65,6 +66,7 @@ class OC_USER_SQL extends OC_User_Backend implements OC_User_Interface
         $this -> sql_type = OCP\Config::getAppValue('user_sql', 'sql_type', '');
         $this -> default_domain = OCP\Config::getAppValue('user_sql', 'default_domain', '');
         $this -> strip_domain = OCP\Config::getAppValue('user_sql', 'strip_domain', 0);
+        $this -> allow_password_change = OCP\Config::getAppValue('user_sql', 'allow_password_change', 0);        
         $this -> crypt_type = OCP\Config::getAppValue('user_sql', 'crypt_type', 'md5crypt');
         $this -> domain_settings = OCP\Config::getAppValue('user_sql', 'domain_settings', 'none');
         $this -> domain_array = explode(",", OCP\Config::getAppValue('user_sql', 'domain_array', ''));
@@ -153,7 +155,7 @@ class OC_USER_SQL extends OC_User_Backend implements OC_User_Interface
         // Update the user's password - this might affect other services, that
         // use the same database, as well
         OC_Log::write('OC_USER_SQL', "Entering setPassword for UID: $uid", OC_Log::DEBUG);
-        if(!$this -> db_conn)
+        if(!$this -> db_conn || !$this->allow_password_change)
         {
             return false;
         }