From 00f07ef533d6aaa4188f59eecb44132610840f34 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 29 Nov 2022 13:25:50 +0100
Subject: [PATCH] close #2451: prevent an auth-loop on webmails

---
 core/admin/mailu/internal/nginx.py  | 6 ++++--
 towncrier/newsfragments/2451.bugfix | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 towncrier/newsfragments/2451.bugfix

diff --git a/core/admin/mailu/internal/nginx.py b/core/admin/mailu/internal/nginx.py
index 43e4dd6a..5b321ad3 100644
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@@ -26,12 +26,14 @@ STATUSES = {
     }),
 }
 
+WEBMAIL_PORTS = ['10143', '10025']
+
 def check_credentials(user, password, ip, protocol=None, auth_port=None):
-    if not user or not user.enabled or (protocol == "imap" and not user.enable_imap) or (protocol == "pop3" and not user.enable_pop):
+    if not user or not user.enabled or (protocol == "imap" and not user.enable_imap and not auth_port in WEBMAIL_PORTS) or (protocol == "pop3" and not user.enable_pop):
         return False
     is_ok = False
     # webmails
-    if auth_port in ['10143', '10025'] and password.startswith('token-'):
+    if auth_port in WEBMAIL_PORTS and password.startswith('token-'):
         if utils.verify_temp_token(user.get_id(), password):
             is_ok = True
     # All tokens are 32 characters hex lowercase
diff --git a/towncrier/newsfragments/2451.bugfix b/towncrier/newsfragments/2451.bugfix
new file mode 100644
index 00000000..d7e821ea
--- /dev/null
+++ b/towncrier/newsfragments/2451.bugfix
@@ -0,0 +1 @@
+Fix a bug preventing users without IMAP access to access the webmails