From e2529ea8a3ba3d964589580bdb8317eadc0591f4 Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Wed, 11 Sep 2019 12:15:23 +0200
Subject: [PATCH] * Preferences: always show Security & Password popup, only
 disable password tab, if no rights to change it

---
 api/src/Framework.php                         | 48 ++++++++++++-------
 .../inc/class.preferences_password.inc.php    | 14 +++---
 preferences/lang/egw_de.lang                  |  8 ++--
 preferences/lang/egw_en.lang                  |  1 +
 preferences/templates/default/config.xet      |  4 ++
 preferences/templates/mobile/app.css          | 22 +++++++++
 6 files changed, 70 insertions(+), 27 deletions(-)

diff --git a/api/src/Framework.php b/api/src/Framework.php
index a6f7a32ed6..6f774e09cd 100644
--- a/api/src/Framework.php
+++ b/api/src/Framework.php
@@ -1155,20 +1155,9 @@ abstract class Framework extends Framework\Extra
 			$this->add_preferences_topmenu('prefs');
 			$this->add_preferences_topmenu('acl');
 			$this->add_preferences_topmenu('cats');
+			$this->add_preferences_topmenu('security');
 		}
 
-		// allways display password in topmenu, if user has rights to change it
-		if ($GLOBALS['egw_info']['user']['apps']['preferences'] &&
-			!$GLOBALS['egw']->acl->check('nopasswordchange', 1, 'preferences'))
-		{
-			$this->_add_topmenu_item(array(
-				'id'    => 'password',
-				'name'  => 'preferences',
-				'title' => lang('Security & Password'),
-				'url'   => "javascript:egw.open_link('".
-					self::link('/index.php?menuaction=preferences.preferences_password.change')."','_blank','850x580')",
-			));
-		}
 		/* disable help until content is reworked
 		if($GLOBALS['egw_info']['user']['apps']['manual'] && isset($apps['manual']))
 		{
@@ -1224,6 +1213,10 @@ abstract class Framework extends Framework\Extra
 				'hook' => 'categories',
 				'run_hook' => true,	// acturally run hook, not just look it's implemented
 			),
+			'security' => array(
+				'title' => 'Security & Password',
+				'hook' => 'preferences_security',
+			),
 		);
 		if (!$GLOBALS['egw_info']['user']['apps']['preferences'] || $GLOBALS['egw_info']['server']['deny_'.$type] &&
 			array_intersect($memberships, (array)$GLOBALS['egw_info']['server']['deny_'.$type]) &&
@@ -1244,12 +1237,31 @@ abstract class Framework extends Framework\Extra
 		{
 			$apps = Hooks::implemented($types[$type]['hook']);
 		}
-		$this->_add_topmenu_item(array(
-			'id' => $type,
-			'name' => 'preferences',
-			'title' => lang($types[$type]['title']),
-			'url' => "javascript:egw.show_preferences(\"$type\",".json_encode($apps).')',
-		));
+		// allways display password in topmenu, if user has rights to change it
+		switch ($type)
+		{
+			case 'security':
+				if ($apps || $GLOBALS['egw_info']['server']['2fa_required'] !== 'disabled' ||
+					!$GLOBALS['egw']->acl->check('nopasswordchange', 1))
+				{
+					$this->_add_topmenu_item(array(
+						'id'    => 'password',
+						'name'  => 'preferences',
+						'title' => lang($types[$type]['title']),
+						'url'   => "javascript:egw.open_link('".
+							self::link('/index.php?menuaction=preferences.preferences_password.change')."','_blank','850x580')",
+					));
+				}
+				break;
+
+			default:
+				$this->_add_topmenu_item(array(
+					'id' => $type,
+					'name' => 'preferences',
+					'title' => lang($types[$type]['title']),
+					'url' => "javascript:egw.show_preferences(\"$type\",".json_encode($apps).')',
+				));
+		}
 	}
 
 	/**
diff --git a/preferences/inc/class.preferences_password.inc.php b/preferences/inc/class.preferences_password.inc.php
index ab9feff8fa..681928cc9c 100644
--- a/preferences/inc/class.preferences_password.inc.php
+++ b/preferences/inc/class.preferences_password.inc.php
@@ -35,11 +35,7 @@ class preferences_password
 	 */
 	function change($content = null)
 	{
-		if ($GLOBALS['egw']->acl->check('nopasswordchange', 1))
-		{
-			Framework::window_close('Password change is disabled!');
-		}
-		$GLOBALS['egw_info']['flags']['app_header'] = lang('Change your password');
+		$GLOBALS['egw_info']['flags']['app_header'] = lang('Security & Password');
 		$tmpl = new Etemplate('preferences.password');
 
 		$readonlys = $sel_options = [];
@@ -78,7 +74,7 @@ class preferences_password
 					switch($content['tabs'])
 					{
 						case 'change_password':
-							if ($content['button']['save'])
+							if ($GLOBALS['egw']->acl->check('nopasswordchange', 1) && $content['button']['save'])
 							{
 								if (($errors = self::do_change($content['password'], $content['n_passwd'], $content['n_passwd_2'])))
 								{
@@ -159,6 +155,12 @@ class preferences_password
 			$readonlys['tabs']['two_factor_auth'] = true;
 		}
 
+		// disable password change, if user has not right to change it
+		if ($GLOBALS['egw']->acl->check('nopasswordchange', 1))
+		{
+			$readonlys['tabs']['change_password'] = true;
+		}
+
 		$preserve = [
 			'2fa' => $content['2fa']+[
 				'secret_key' => $secret_key,
diff --git a/preferences/lang/egw_de.lang b/preferences/lang/egw_de.lang
index 76edf91a62..b55355d5d0 100644
--- a/preferences/lang/egw_de.lang
+++ b/preferences/lang/egw_de.lang
@@ -39,9 +39,10 @@ default font	preferences	de	Standard-Schrift
 default font size	preferences	de	Standard-Schriftgröße
 default preferences	preferences	de	Voreinstellungen
 delete categories	preferences	de	Kategorie löschen
-deny following groups access to acl (grant access)	admin	de	verweigere folgenden Gruppen den Zugriff in den ACL's
-deny following groups access to edit categories	admin	de	verweigere folgenden Gruppen den Zugriff zum Ändern der Kategorien
-deny following groups access to preferences	admin	de	verweigere folgenden Gruppen den Zugang zu den Einstellungen
+deny following groups access to acl (grant access)	admin	de	Verweigere folgenden Gruppen den Zugriff in den ACL's
+deny following groups access to edit categories	admin	de	Verweigere folgenden Gruppen den Zugriff zum Ändern der Kategorien
+deny following groups access to preferences	admin	de	Verweigere folgenden Gruppen den Zugriff zu den Einstellungen
+deny following groups access to security popup	admin	de	Verweigere folgenden Gruppen den Zugriff auf das Popup Sicherheit
 description can not exceed 255 characters in length !	preferences	de	Die Beschreibung darf nicht länger als 255 Zeichen sein !
 disable	preferences	de	Deaktivieren
 disable two factor auth	preferences	de	2-Faktor-Authentifizierung deaktivieren
@@ -145,6 +146,7 @@ selectbox with groupmembers	common	de	Auswahlbox mit Gruppenmitgliedern
 selectbox with primary group and search	preferences	de	Auswahlfeld mit primärer Gruppe und Suche
 server is unwilling to perform.	preferences	de	Server ist unwillig die Änderung auszuführen.
 set this to your convenience. for security reasons, you might not want to show your loginname in public.	preferences	de	Stellen Sie das nach Ihren Vorlieben ein. Aus Sicherheitsgründen sollte der Benutzername nicht in der Öffentlichkeit gezeigt werden.
+settings	preferences	de	Einstellungen
 setup two factor authentication	preferences	de	Setup 2-Faktor-Authentifizierung
 should the number of active sessions be displayed for you all the time.	preferences	de	Zeigt die Anzahl aktiver Sitzungen permanent unten rechts an.
 should this help messages shown up always, when you enter the preferences or only on request.	preferences	de	Sollen die Hilfetexte immer angezeigt werden, wenn Sie die Einstellungen aufrufen oder nur auf Anforderung?
diff --git a/preferences/lang/egw_en.lang b/preferences/lang/egw_en.lang
index 95dca29bc8..3b75cb51c9 100644
--- a/preferences/lang/egw_en.lang
+++ b/preferences/lang/egw_en.lang
@@ -42,6 +42,7 @@ delete categories	preferences	en	Delete categories
 deny following groups access to acl (grant access)	admin	en	Deny following groups access to ACL (grant access)
 deny following groups access to edit categories	admin	en	Deny following groups access to edit categories
 deny following groups access to preferences	admin	en	Deny following groups access to preferences
+deny following groups access to security popup	admin	en	Deny following groups access to security popup
 description can not exceed 255 characters in length !	preferences	en	Description can not exceed 255 characters in length !
 disable	preferences	en	Disable
 disable two factor auth	preferences	en	Disable Two Factor Auth
diff --git a/preferences/templates/default/config.xet b/preferences/templates/default/config.xet
index b40c9b3ac8..c8e739f053 100644
--- a/preferences/templates/default/config.xet
+++ b/preferences/templates/default/config.xet
@@ -21,6 +21,10 @@
 					<description value="Deny following groups access to edit categories" label="%s:"/>
 					<select-account id="newsettings[deny_cats]" account_type="groups" multiple="true" tags="true" width="100%"/>
 				</row>
+				<row>
+					<description value="Deny following groups access to security popup" label="%s:"/>
+					<select-account id="newsettings[deny_security]" account_type="groups" multiple="true" tags="true" width="100%"/>
+				</row>
 			</rows>
 		</grid>
 	</template>
diff --git a/preferences/templates/mobile/app.css b/preferences/templates/mobile/app.css
index f1a1261403..53a344b268 100644
--- a/preferences/templates/mobile/app.css
+++ b/preferences/templates/mobile/app.css
@@ -103,6 +103,28 @@ textarea.prefValue {
 #preferences_settings_country_chzn {
   width: 49% !important;
 }
+/**
+ * 2FA setup
+ */
+.securityHeader {
+  margin-top: 1em;
+  font-size: 120%;
+}
+img.qrCode {
+  position: relative;
+  left: -14px;
+}
+.toptApp {
+  display: list-item !important;
+  list-style-type: disc;
+  list-style-position: inside;
+  white-space: nowrap;
+}
+.toptStatus {
+  margin-top: 1em;
+  font-style: italic;
+  font-size: 120%;
+}
 .prefHelp {
   width: 100%;
   height: 60px;