From 432d36c80b2fe065d5eabf3418ee0130a98134e5 Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Tue, 3 Sep 2024 12:52:33 +0200
Subject: [PATCH] automatic open "Security & password" dialog for SSO logins,
 if password is required in filemanager

---
 api/src/Vfs/StreamWrapper.php                   | 17 +++++++++++++++--
 .../inc/class.preferences_password.inc.php      |  2 +-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/api/src/Vfs/StreamWrapper.php b/api/src/Vfs/StreamWrapper.php
index 60d092e341..98a1949926 100644
--- a/api/src/Vfs/StreamWrapper.php
+++ b/api/src/Vfs/StreamWrapper.php
@@ -664,15 +664,28 @@ class StreamWrapper extends Base implements StreamWrapperIface
 		$this->opened_dir_writable = $this->check_access($this->opened_dir_url,Vfs::WRITABLE);
 		// check our fstab if we need to add some of the mountpoints
 		$basepath = Vfs::parse_url($path,PHP_URL_PATH);
-		foreach(array_keys(self::$fstab) as $mounted)
+		foreach(self::$fstab as $mounted => $url)
 		{
+			$access = null;
 			if (((Vfs::dirname($mounted) == $basepath || Vfs::dirname($mounted).'/' == $basepath) && $mounted != '/') &&
 				// only return children readable by the user, if dir is not writable
 				(!self::HIDE_UNREADABLES || $this->opened_dir_writable ||
-					$this->check_access($mounted,Vfs::READABLE)))
+					($access=$this->check_access($mounted,Vfs::READABLE))))
 			{
 				$this->extra_dirs[] = Vfs::basename($mounted);
 			}
+			// if there is no password in the session, but it's required for that mount-point, and
+			// admin enabled storing passwords for SSO --> open "Security & password" popup so user can enter it
+			elseif ($access === false && !empty($GLOBALS['egw_info']['server']['store_password_for_sso']) &&
+				strpos($url, '$user:$pass') !== false && empty($GLOBALS['egw']->session->passwd) &&
+				Api\Json\Request::isJSONRequest())
+			{
+				Api\Cache::getSession(__CLASS__, 'no-session-password', static function()
+				{
+					Api\Json\Response::get()->apply('egw.open_link', ['preferences.preferences_password.change', '_blank', '850x580', null, true]);
+					return true;
+				});
+			}
 		}
 
 
diff --git a/preferences/inc/class.preferences_password.inc.php b/preferences/inc/class.preferences_password.inc.php
index 670395f407..90fea2220b 100644
--- a/preferences/inc/class.preferences_password.inc.php
+++ b/preferences/inc/class.preferences_password.inc.php
@@ -67,7 +67,7 @@ class preferences_password
 				unset($content['2fa']['secret_key']);
 
 				// check user password for everything but password change, where it will be checked anyway
-				$auth = new Api\Auth();
+				$auth = new Api\Auth($GLOBALS['egw_info']['server']['auth_type'] ?? $GLOBALS['egw_info']['server']['account_repository'] ?? 'sql');
 				if ($content['tabs'] !== 'change_password' &&
 					!$auth->authenticate($GLOBALS['egw_info']['user']['account_lid'], $content['password']))
 				{