From 728a6d56f48175c9b847f1e2e0fbe00104695126 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philipp=20Sch=C3=BCle?= <p.schuele@metaways.de>
Date: Mon, 17 Feb 2025 13:52:57 +0100
Subject: [PATCH] fix(Tinebase/EmailUser): allow user email update if not
 managed

... by checking the config in Tinebase_EmailUser::checkDomain

-> we now require that imap with system users is configured to reject invalid domains
---
 tests/tine20/Admin/Frontend/Json/UserTest.php |  3 ++-
 tine20/Tinebase/EmailUser.php                 |  9 ++++++++-
 tine20/Tinebase/User/Sql.php                  | 12 +++++++++---
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/tests/tine20/Admin/Frontend/Json/UserTest.php b/tests/tine20/Admin/Frontend/Json/UserTest.php
index eb945ea14ae..3be2d50625c 100644
--- a/tests/tine20/Admin/Frontend/Json/UserTest.php
+++ b/tests/tine20/Admin/Frontend/Json/UserTest.php
@@ -583,7 +583,8 @@ public function testExternalDomainInUserAccountCreate()
         $userArray = $user->toArray();
         $updatedUser = $this->_json->saveUser($userArray);
         self::assertEquals($userArray['accountEmailAddress'], $updatedUser['accountEmailAddress']);
-        self::assertFalse(isset($updatedUser['xprops']['emailUserIdImap']), print_r($updatedUser['xprops'], true));
+        self::assertFalse(isset($updatedUser['xprops']['emailUserIdImap']),
+            'user should no longer have email xprops:' . print_r($updatedUser['xprops'], true));
     }
 
     /**
diff --git a/tine20/Tinebase/EmailUser.php b/tine20/Tinebase/EmailUser.php
index f661cd20e6f..eadb148745d 100644
--- a/tine20/Tinebase/EmailUser.php
+++ b/tine20/Tinebase/EmailUser.php
@@ -494,7 +494,14 @@ public static function checkDomain(
         $_throwException = false,
         $_allowedDomains = null,
         $_includeAdditional = false
-    ) {
+    ): bool
+    {
+        if (!Tinebase_EmailUser::manages(Tinebase_Config::IMAP) ||
+            !Tinebase_Config::getInstance()->{Tinebase_Config::IMAP}->{Tinebase_Config::IMAP_USE_SYSTEM_ACCOUNT}
+        ) {
+            return true;
+        }
+
         $result = true;
         $allowedDomains = $_allowedDomains ?: self::getAllowedDomains(null, $_includeAdditional);
 
diff --git a/tine20/Tinebase/User/Sql.php b/tine20/Tinebase/User/Sql.php
index 790a54421b1..81924f6defd 100644
--- a/tine20/Tinebase/User/Sql.php
+++ b/tine20/Tinebase/User/Sql.php
@@ -1079,7 +1079,8 @@ public function updateUserInSqlBackend(Tinebase_Model_FullUser $_user, bool $_ge
         }
 
         if (Tinebase_EmailUser::manages(Tinebase_Config::IMAP)
-            && ! Tinebase_Config::getInstance()->get(Tinebase_Config::IMAP)->allowExternalEmail) {
+            && ! Tinebase_Config::getInstance()->get(Tinebase_Config::IMAP)->allowExternalEmail
+        ) {
             Tinebase_EmailUser::checkDomain($_user->accountEmailAddress,
                 true,
                 null,
@@ -1202,8 +1203,13 @@ public function addPluginUser($addedUser, $newUserProperties)
      */
     public function addUserInSqlBackend(Tinebase_Model_FullUser $_user)
     {
-        Tinebase_Config::getInstance()->get(Tinebase_Config::IMAP)->allowExternalEmail
-            || Tinebase_EmailUser::checkDomain($_user->accountEmailAddress, true, null, true);
+        if (Tinebase_EmailUser::manages(Tinebase_Config::IMAP)
+            && ! Tinebase_Config::getInstance()->get(Tinebase_Config::IMAP)->allowExternalEmail) {
+            Tinebase_EmailUser::checkDomain($_user->accountEmailAddress,
+                true,
+                null,
+                true);
+        }
 
         $_user->isValid(TRUE);