From db0f007afd62e5087e05bc69bd2ccb8d48c8f261 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Fri, 29 Mar 2024 14:40:57 +0100
Subject: [PATCH] Prevent password changes if disabled

---
 crates/handlers/src/views/account/password.rs | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/crates/handlers/src/views/account/password.rs b/crates/handlers/src/views/account/password.rs
index 954d2fae..1dbd0d04 100644
--- a/crates/handlers/src/views/account/password.rs
+++ b/crates/handlers/src/views/account/password.rs
@@ -23,7 +23,7 @@ use mas_axum_utils::{
     csrf::{CsrfExt, ProtectedForm},
     FancyError, SessionInfoExt,
 };
-use mas_data_model::BrowserSession;
+use mas_data_model::{BrowserSession, SiteConfig};
 use mas_i18n::DataLocale;
 use mas_policy::Policy;
 use mas_router::UrlBuilder;
@@ -51,14 +51,14 @@ pub(crate) async fn get(
     clock: BoxClock,
     PreferredLanguage(locale): PreferredLanguage,
     State(templates): State<Templates>,
-    State(password_manager): State<PasswordManager>,
+    State(site_config): State<SiteConfig>,
     activity_tracker: BoundActivityTracker,
     State(url_builder): State<UrlBuilder>,
     mut repo: BoxRepository,
     cookie_jar: CookieJar,
 ) -> Result<Response, FancyError> {
     // If the password manager is disabled, we can go back to the account page.
-    if !password_manager.is_enabled() {
+    if !site_config.password_change_allowed {
         return Ok(url_builder
             .redirect(&mas_router::Account::default())
             .into_response());
@@ -106,6 +106,7 @@ pub(crate) async fn post(
     clock: BoxClock,
     PreferredLanguage(locale): PreferredLanguage,
     State(password_manager): State<PasswordManager>,
+    State(site_config): State<SiteConfig>,
     State(templates): State<Templates>,
     activity_tracker: BoundActivityTracker,
     State(url_builder): State<UrlBuilder>,
@@ -114,7 +115,7 @@ pub(crate) async fn post(
     cookie_jar: CookieJar,
     Form(form): Form<ProtectedForm<ChangeForm>>,
 ) -> Result<Response, FancyError> {
-    if !password_manager.is_enabled() {
+    if !site_config.password_change_allowed {
         // XXX: do something better here
         return Ok(StatusCode::METHOD_NOT_ALLOWED.into_response());
     }