Merge pull request #4303 from nextcloud/enforce-password-mailshare

allow admin to enforce password on mail shares
9 years ago · a4086a6ec5
15 changed files with 355 additions and 51 deletions
--- a/apps/sharebymail/css/settings-admin.css
+++ b/apps/sharebymail/css/settings-admin.css
@ -0,0 +1,3 @@
+#ncShareByMailSettings p {
+	padding-top: 10px;
+}
--- a/apps/sharebymail/js/settings-admin.js
+++ b/apps/sharebymail/js/settings-admin.js
@ -24,7 +24,15 @@ $(function() {
 		if ($(this).is(':checked')) {
 			status = 'yes';
 		}
-		OC.AppConfig.setValue('sharebymail', 'sendpasswordmail', status);
+		OCP.AppConfig.setValue('sharebymail', 'sendpasswordmail', status);
+	});
+
+	$('#enforcePasswordProtection').on('change', function() {
+		var status = 'no';
+		if ($(this).is(':checked')) {
+			status = 'yes';
+		}
+		OCP.AppConfig.setValue('sharebymail', 'enforcePasswordProtection', status);
 	});

 });
--- a/apps/sharebymail/lib/Activity.php
+++ b/apps/sharebymail/lib/Activity.php
@ -58,6 +58,8 @@ class Activity implements IProvider {

 	const SUBJECT_SHARED_EMAIL_SELF = 'shared_with_email_self';
 	const SUBJECT_SHARED_EMAIL_BY = 'shared_with_email_by';
+	const SUBJECT_SHARED_EMAIL_PASSWORD_SEND = 'shared_with_email_password_send';
+	const SUBJECT_SHARED_EMAIL_PASSWORD_SEND_SELF = 'shared_with_email_password_send_self';

 	/**
 	 * @param IFactory $languageFactory
@ -119,15 +121,26 @@ class Activity implements IProvider {
 				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
 		} else if ($event->getSubject() === self::SUBJECT_SHARED_EMAIL_BY) {
 			$event->setParsedSubject($this->l->t('Shared with %1$s by %2$s', [
-					$parsedParameters['email']['name'],
-					$parsedParameters['actor']['name'],
-				]))
+				$parsedParameters['email']['name'],
+				$parsedParameters['actor']['name'],
+			]))
 				->setRichSubject($this->l->t('Shared with {email} by {actor}'), [
 					'email' => $parsedParameters['email'],
 					'actor' => $parsedParameters['actor'],
 				])
 				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
-
+		} else if ($event->getSubject() === self::SUBJECT_SHARED_EMAIL_PASSWORD_SEND) {
+			$event->setParsedSubject($this->l->t('Password for mail share send to %1$s', [
+				$parsedParameters['email']['name']
+			]))
+				->setRichSubject($this->l->t('Password for mail share send to {email}'), [
+					'email' => $parsedParameters['email']
+				])
+				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
+		} else if ($event->getSubject() === self::SUBJECT_SHARED_EMAIL_PASSWORD_SEND_SELF) {
+			$event->setParsedSubject($this->l->t('Password for mail share send to you'))
+				->setRichSubject($this->l->t('Password for mail share send to you'))
+				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
 		} else {
 			throw new \InvalidArgumentException();
 		}
@ -153,12 +166,26 @@ class Activity implements IProvider {
 				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
 		} else if ($event->getSubject() === self::SUBJECT_SHARED_EMAIL_BY) {
 			$event->setParsedSubject($this->l->t('%3$s shared %1$s with %2$s by mail', [
-					$parsedParameters['file']['path'],
-					$parsedParameters['email']['name'],
-					$parsedParameters['actor']['name'],
-				]))
+				$parsedParameters['file']['path'],
+				$parsedParameters['email']['name'],
+				$parsedParameters['actor']['name'],
+			]))
 				->setRichSubject($this->l->t('{actor} shared {file} with {email} by mail'), $parsedParameters)
 				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
+		} else if ($event->getSubject() === self::SUBJECT_SHARED_EMAIL_PASSWORD_SEND) {
+			$event->setParsedSubject($this->l->t('Password to access %1$s was send to %2s', [
+				$parsedParameters['file']['path'],
+				$parsedParameters['email']['name']
+			]))
+				->setRichSubject($this->l->t('Password to access {file} was send to {email}'), $parsedParameters)
+				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
+		} else if ($event->getSubject() === self::SUBJECT_SHARED_EMAIL_PASSWORD_SEND_SELF) {
+			$event->setParsedSubject(
+				$this->l->t('Password to access %1$s was send to you',
+					[$parsedParameters['file']['path']]))
+				->setRichSubject($this->l->t('Password to access {file} was send to you'), $parsedParameters)
+				->setIcon($this->url->getAbsoluteURL($this->url->imagePath('core', 'actions/share.svg')));
+
 		} else {
 			throw new \InvalidArgumentException();
 		}
@ -182,6 +209,15 @@ class Activity implements IProvider {
 					'email' => $this->generateEmailParameter($parameters[1]),
 					'actor' => $this->generateUserParameter($parameters[2]),
 				];
+			case self::SUBJECT_SHARED_EMAIL_PASSWORD_SEND:
+				return [
+					'file' => $this->generateFileParameter((int) $event->getObjectId(), $parameters[0]),
+					'email' => $this->generateEmailParameter($parameters[1]),
+				];
+			case self::SUBJECT_SHARED_EMAIL_PASSWORD_SEND_SELF:
+				return [
+					'file' => $this->generateFileParameter((int) $event->getObjectId(), $parameters[0]),
+				];
 		}
 		throw new \InvalidArgumentException();
 	}
--- a/apps/sharebymail/lib/AppInfo/Application.php
+++ b/apps/sharebymail/lib/AppInfo/Application.php
@ -32,7 +32,8 @@ class Application extends App {
 	public function __construct(array $urlParams = array()) {
 		parent::__construct('sharebymail', $urlParams);

-		$settings = new Settings();
+		$settingsManager = \OC::$server->query(Settings\SettingsManager::class);
+		$settings = new Settings($settingsManager);

 		/** register capabilities */
 		$container = $this->getContainer();
@ -40,6 +41,7 @@ class Application extends App {

 		/** register hooks */
 		Util::connectHook('\OCP\Config', 'js', $settings, 'announceShareProvider');
+		Util::connectHook('\OCP\Config', 'js', $settings, 'announceShareByMailSettings');
 	}

 }
--- a/apps/sharebymail/lib/Settings.php
+++ b/apps/sharebymail/lib/Settings.php
@ -23,8 +23,17 @@
 namespace OCA\ShareByMail;


+use OCA\ShareByMail\Settings\SettingsManager;
+
 class Settings {

+	/** @var SettingsManager */
+	private $settingsManager;
+
+	public function __construct(SettingsManager $settingsManager) {
+		$this->settingsManager = $settingsManager;
+	}
+
 	/**
 	 * announce that the share-by-mail share provider is enabled
 	 *
@ -35,4 +44,10 @@ class Settings {
 		$array['shareByMailEnabled'] = true;
 		$settings['array']['oc_appconfig'] = json_encode($array);
 	}
+
+	public function announceShareByMailSettings(array $settings) {
+		$array = json_decode($settings['array']['oc_appconfig'], true);
+		$array['shareByMail']['enforcePasswordProtection'] = $this->settingsManager->enforcePasswordProtection();
+		$settings['array']['oc_appconfig'] = json_encode($array);
+	}
 }
--- a/apps/sharebymail/lib/Settings/Admin.php
+++ b/apps/sharebymail/lib/Settings/Admin.php
@ -40,7 +40,8 @@ class Admin implements ISettings {
 	public function getForm() {

 		$parameters = [
-			'sendPasswordMail' => $this->settingsManager->sendPasswordByMail()
+			'sendPasswordMail' => $this->settingsManager->sendPasswordByMail(),
+			'enforcePasswordProtection' => $this->settingsManager->enforcePasswordProtection()
 		];

 		return new TemplateResponse('sharebymail', 'settings-admin', $parameters, '');
--- a/apps/sharebymail/lib/Settings/SettingsManager.php
+++ b/apps/sharebymail/lib/Settings/SettingsManager.php
@ -30,7 +30,9 @@ class SettingsManager {
 	/** @var IConfig */
 	private $config;

-	private $defaultSetting = 'yes';
+	private $sendPasswordByMailDefault = 'yes';
+
+	private $enforcePasswordProtectionDefault = 'no';

 	public function __construct(IConfig $config) {
 		$this->config = $config;
@ -42,8 +44,18 @@ class SettingsManager {
 	 * @return bool
 	 */
 	public function sendPasswordByMail() {
-		$sendPasswordByMail = $this->config->getAppValue('sharebymail', 'sendpasswordmail', $this->defaultSetting);
+		$sendPasswordByMail = $this->config->getAppValue('sharebymail', 'sendpasswordmail', $this->sendPasswordByMailDefault);
 		return $sendPasswordByMail === 'yes';
 	}

+	/**
+	 * do we require a share by mail to be password protected
+	 *
+	 * @return bool
+	 */
+	public function enforcePasswordProtection() {
+		$enforcePassword = $this->config->getAppValue('sharebymail', 'enforcePasswordProtection', $this->enforcePasswordProtectionDefault);
+		return $enforcePassword === 'yes';
+	}
+
 }
--- a/apps/sharebymail/lib/ShareByMailProvider.php
+++ b/apps/sharebymail/lib/ShareByMailProvider.php
@ -21,6 +21,7 @@

 namespace OCA\ShareByMail;

+use OC\CapabilitiesManager;
 use OC\HintException;
 use OC\Share20\Exception\InvalidShare;
 use OCA\ShareByMail\Settings\SettingsManager;
@ -37,12 +38,12 @@ use OCP\IURLGenerator;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\Mail\IMailer;
+use OCP\Security\IHasher;
 use OCP\Security\ISecureRandom;
 use OC\Share20\Share;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IShare;
 use OCP\Share\IShareProvider;
-use OCP\Template;

 /**
 * Class ShareByMail
@ -84,6 +85,12 @@ class ShareByMailProvider implements IShareProvider {
 	/** @var Defaults */
 	private $defaults;

+	/** @var IHasher */
+	private $hasher;
+
+	/** @var  CapabilitiesManager */
+	private $capabilitiesManager;
+
 	/**
 	 * Return the identifier of this provider.
 	 *
@ -107,6 +114,8 @@ class ShareByMailProvider implements IShareProvider {
 	 * @param IManager $activityManager
 	 * @param SettingsManager $settingsManager
 	 * @param Defaults $defaults
+	 * @param IHasher $hasher
+	 * @param CapabilitiesManager $capabilitiesManager
 	 */
 	public function __construct(
 		IDBConnection $connection,
@ -119,7 +128,9 @@ class ShareByMailProvider implements IShareProvider {
 		IURLGenerator $urlGenerator,
 		IManager $activityManager,
 		SettingsManager $settingsManager,
-		Defaults $defaults
+		Defaults $defaults,
+		IHasher $hasher,
+		CapabilitiesManager $capabilitiesManager
 	) {
 		$this->dbConnection = $connection;
 		$this->secureRandom = $secureRandom;
@ -132,6 +143,8 @@ class ShareByMailProvider implements IShareProvider {
 		$this->activityManager = $activityManager;
 		$this->settingsManager = $settingsManager;
 		$this->defaults = $defaults;
+		$this->hasher = $hasher;
+		$this->capabilitiesManager = $capabilitiesManager;
 	}

 	/**
@ -156,19 +169,80 @@ class ShareByMailProvider implements IShareProvider {
 			throw new \Exception($message_t);
 		}

+		// if the admin enforces a password for all mail shares we create a
+		// random password and send it to the recipient
+		$password = '';
+		$passwordEnforced = $this->settingsManager->enforcePasswordProtection();
+		if ($passwordEnforced) {
+			$password = $this->autoGeneratePassword($share);
+		}
+
 		$shareId = $this->createMailShare($share);
-		$this->createActivity($share);
+		$send = $this->sendPassword($share, $password);
+		if ($passwordEnforced && $send === false) {
+			$this->sendPasswordToOwner($share, $password);
+		}
+
+		$this->createShareActivity($share);
 		$data = $this->getRawShare($shareId);
+
 		return $this->createShareObject($data);

 	}

+	/**
+	 * auto generate password in case of password enforcement on mail shares
+	 *
+	 * @param IShare $share
+	 * @return string
+	 * @throws \Exception
+	 */
+	protected function autoGeneratePassword($share) {
+		$initiatorUser = $this->userManager->get($share->getSharedBy());
+		$initiatorEMailAddress = ($initiatorUser instanceof IUser) ? $initiatorUser->getEMailAddress() : null;
+		$allowPasswordByMail = $this->settingsManager->sendPasswordByMail();
+
+		if ($initiatorEMailAddress === null && !$allowPasswordByMail) {
+			throw new \Exception(
+				$this->l->t("We can't send you the auto-generated password. Please set a valid email address in your personal settings and try again.")
+			);
+		}
+
+		$passwordPolicy = $this->getPasswordPolicy();
+		$passwordCharset = ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_DIGITS;
+		$passwordLength = 8;
+		if (!empty($passwordPolicy)) {
+			$passwordLength = (int)$passwordPolicy['minLength'] > 0 ? (int)$passwordPolicy['minLength'] : $passwordLength;
+			$passwordCharset .= $passwordPolicy['enforceSpecialCharacters'] ? ISecureRandom::CHAR_SYMBOLS : '';
+		}
+
+		$password = $this->secureRandom->generate($passwordLength, $passwordCharset);
+
+		$share->setPassword($this->hasher->hash($password));
+
+		return $password;
+	}
+
+	/**
+	 * get password policy
+	 *
+	 * @return array
+	 */
+	protected function getPasswordPolicy() {
+		$capabilities = $this->capabilitiesManager->getCapabilities();
+		if (isset($capabilities['password_policy'])) {
+			return $capabilities['password_policy'];
+		}
+
+		return [];
+	}
+
 	/**
 	 * create activity if a file/folder was shared by mail
 	 *
 	 * @param IShare $share
 	 */
-	protected function createActivity(IShare $share) {
+	protected function createShareActivity(IShare $share) {

 		$userFolder = $this->rootFolder->getUserFolder($share->getSharedBy());

@ -196,6 +270,37 @@ class ShareByMailProvider implements IShareProvider {

 	}

+	/**
+	 * create activity if a file/folder was shared by mail
+	 *
+	 * @param IShare $share
+	 * @param string $sharedWith
+	 * @param bool $sendToSelf
+	 */
+	protected function createPasswordSendActivity(IShare $share, $sharedWith, $sendToSelf) {
+
+		$userFolder = $this->rootFolder->getUserFolder($share->getSharedBy());
+
+		if ($sendToSelf) {
+			$this->publishActivity(
+				Activity::SUBJECT_SHARED_EMAIL_PASSWORD_SEND_SELF,
+				[$userFolder->getRelativePath($share->getNode()->getPath())],
+				$share->getSharedBy(),
+				$share->getNode()->getId(),
+				$userFolder->getRelativePath($share->getNode()->getPath())
+			);
+		} else {
+			$this->publishActivity(
+				Activity::SUBJECT_SHARED_EMAIL_PASSWORD_SEND,
+				[$userFolder->getRelativePath($share->getNode()->getPath()), $sharedWith],
+				$share->getSharedBy(),
+				$share->getNode()->getId(),
+				$userFolder->getRelativePath($share->getNode()->getPath())
+			);
+		}
+	}
+
+
 	/**
 	 * publish activity if a file/folder was shared by mail
 	 *
@ -230,7 +335,8 @@ class ShareByMailProvider implements IShareProvider {
 			$share->getSharedBy(),
 			$share->getShareOwner(),
 			$share->getPermissions(),
-			$share->getToken()
+			$share->getToken(),
+			$share->getPassword()
 		);

 		try {
@ -287,18 +393,15 @@ class ShareByMailProvider implements IShareProvider {

 		$emailTemplate->addHeader();
 		$emailTemplate->addHeading($this->l->t('%s shared »%s« with you', [$ownerDisplayName, $filename]), false);
-
 		if ($owner === $initiator) {
 			$text = $this->l->t('%s shared »%s« with you.', [$ownerDisplayName, $filename]);
 		} else {
 			$text= $this->l->t('%s shared »%s« with you on behalf of %s.', [$ownerDisplayName, $filename, $initiator]);
 		}
-
 		$emailTemplate->addBodyText(
 			$text . ' ' . $this->l->t('Click the button below to open it.'),
 			$text
 		);
-
 		$emailTemplate->addBodyButton(
 			$this->l->t('Open »%s«', [$filename]),
 			$link
@ -336,52 +439,109 @@ class ShareByMailProvider implements IShareProvider {
 	/**
 	 * send password to recipient of a mail share
 	 *
-	 * @param string $filename
-	 * @param string $initiator
-	 * @param string $shareWith
+	 * @param IShare $share
+	 * @param string $password
+	 * @return bool
 	 */
-	protected function sendPassword($filename, $initiator, $shareWith, $password) {
+	protected function sendPassword(IShare $share, $password) {

-		if ($this->settingsManager->sendPasswordByMail() === false) {
-			return;
+		$filename = $share->getNode()->getName();
+		$initiator = $share->getSharedBy();
+		$shareWith = $share->getSharedWith();
+
+		if ($password === '' || $this->settingsManager->sendPasswordByMail() === false) {
+			return false;
 		}

 		$initiatorUser = $this->userManager->get($initiator);
 		$initiatorDisplayName = ($initiatorUser instanceof IUser) ? $initiatorUser->getDisplayName() : $initiator;
+		$initiatorEmailAddress = ($initiatorUser instanceof IUser) ? $initiatorUser->getEMailAddress() : null;
+
 		$subject = (string)$this->l->t('Password to access »%s« shared to you by %s', [$filename, $initiatorDisplayName]);
+		$plainBodyPart = $this->l->t("%s shared »%s« with you.\nYou should have already received a separate mail with a link to access it.\n", [$initiatorDisplayName, $filename]);
+		$htmlBodyPart = $this->l->t('%s shared »%s« with you. You should have already received a separate mail with a link to access it.', [$initiatorDisplayName, $filename]);

 		$message = $this->mailer->createMessage();

 		$emailTemplate = $this->mailer->createEMailTemplate();
-
 		$emailTemplate->addHeader();
-		$emailTemplate->addHeading($this->l->t('Password to access »%s«', [$filename]));
-
-		$emailTemplate->addBodyText($this->l->t(
-			'%s shared »%s« with you. You should have already received a separate mail with a link to access it.',
-				[$initiatorDisplayName, $filename]
-		));
+		$emailTemplate->addHeading($this->l->t('Password to access »%s«', [$filename]), false);
+		$emailTemplate->addBodyText($htmlBodyPart, $plainBodyPart);
 		$emailTemplate->addBodyText($this->l->t('It is protected with the following password: %s', [$password]));
-
 		$emailTemplate->addFooter();

+		if ($initiatorEmailAddress !== null) {
+			$message->setFrom([$initiatorEmailAddress => $initiatorDisplayName]);
+		}
 		$message->setTo([$shareWith]);
 		$message->setSubject($subject);
 		$message->setBody($emailTemplate->renderText(), 'text/plain');
 		$message->setHtmlBody($emailTemplate->renderHtml());
 		$this->mailer->send($message);

+		$this->createPasswordSendActivity($share, $shareWith, false);
+
+		return true;
 	}

+	/**
+	 * send auto generated password to the owner. This happens if the admin enforces
+	 * a password for mail shares and forbid to send the password by mail to the recipient
+	 *
+	 * @param IShare $share
+	 * @param string $password
+	 * @return bool
+	 * @throws \Exception
+	 */
+	protected function sendPasswordToOwner(IShare $share, $password) {
+
+		$filename = $share->getNode()->getName();
+		$initiator = $this->userManager->get($share->getSharedBy());
+		$initiatorEMailAddress = ($initiator instanceof IUser) ? $initiator->getEMailAddress() : null;
+		$initiatorDisplayName = ($initiator instanceof IUser) ? $initiator->getDisplayName() : $share->getSharedBy();
+		$shareWith = $share->getSharedWith();
+
+		if ($initiatorEMailAddress === null) {
+			throw new \Exception(
+				$this->l->t("We can't send you the auto-generated password. Please set a valid email address in your personal settings and try again.")
+			);
+		}
+
+		$subject = (string)$this->l->t('Password to access »%s« shared with %s', [$filename, $shareWith]);
+		$bodyPart = $this->l->t("You just shared »%s« with %s. The share was already send to the recipient. Due to the security policies defined by the administrator of %s each share needs to be protected by password and it is not allowed to send the password directly to the recipient. Therefore you need to forward the password manually to the recipient.", [$filename, $shareWith, $this->defaults->getName()]);
+
+		$message = $this->mailer->createMessage();
+		$emailTemplate = $this->mailer->createEMailTemplate();
+
+		$emailTemplate->addHeader();
+		$emailTemplate->addHeading($this->l->t('Password to access »%s«', [$filename]), false);
+		$emailTemplate->addBodyText($bodyPart);
+		$emailTemplate->addBodyText($this->l->t('This is the password: %s', [$password]));
+		$emailTemplate->addBodyText($this->l->t('You can choose a different password at any time in the share dialog.'));
+		$emailTemplate->addFooter();
+
+		if ($initiatorEMailAddress) {
+			$message->setFrom([$initiatorEMailAddress => $initiatorDisplayName]);
+		}
+		$message->setTo([$initiatorEMailAddress => $initiatorDisplayName]);
+		$message->setSubject($subject);
+		$message->setBody($emailTemplate->renderText(), 'text/plain');
+		$message->setHtmlBody($emailTemplate->renderHtml());
+		$this->mailer->send($message);
+
+		$this->createPasswordSendActivity($share, $shareWith, true);
+
+		return true;
+	}

 	/**
 	 * generate share token
 	 *
 	 * @return string
 	 */
-	protected function generateToken() {
+	protected function generateToken($size = 15) {
 		$token = $this->secureRandom->generate(
-			15, ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_DIGITS);
+			$size, ISecureRandom::CHAR_LOWER . ISecureRandom::CHAR_UPPER . ISecureRandom::CHAR_DIGITS);
 		return $token;
 	}

@ -422,7 +582,7 @@ class ShareByMailProvider implements IShareProvider {
 	 * @param string $token
 	 * @return int
 	 */
-	protected function addShareToDB($itemSource, $itemType, $shareWith, $sharedBy, $uidOwner, $permissions, $token) {
+	protected function addShareToDB($itemSource, $itemType, $shareWith, $sharedBy, $uidOwner, $permissions, $token, $password) {
 		$qb = $this->dbConnection->getQueryBuilder();
 		$qb->insert('share')
 			->setValue('share_type', $qb->createNamedParameter(\OCP\Share::SHARE_TYPE_EMAIL))
@ -434,6 +594,7 @@ class ShareByMailProvider implements IShareProvider {
 			->setValue('uid_initiator', $qb->createNamedParameter($sharedBy))
 			->setValue('permissions', $qb->createNamedParameter($permissions))
 			->setValue('token', $qb->createNamedParameter($token))
+			->setValue('password', $qb->createNamedParameter($password))
 			->setValue('stime', $qb->createNamedParameter(time()));

 		/*
@ -463,7 +624,7 @@ class ShareByMailProvider implements IShareProvider {
 		$validPassword = $plainTextPassword !== null && $plainTextPassword !== '';

 		if($validPassword && $originalShare->getPassword() !== $share->getPassword()) {
-			$this->sendPassword($share->getNode()->getName(), $share->getSharedBy(), $share->getSharedWith(), $plainTextPassword);
+			$this->sendPassword($share, $plainTextPassword);
 		}
 		/*
 		 * We allow updating the permissions and password of mail shares
--- a/apps/sharebymail/templates/settings-admin.php
+++ b/apps/sharebymail/templates/settings-admin.php
@ -4,6 +4,7 @@ use OCA\Federation\TrustedServers;

 /** @var \OCP\IL10N $l */
 script('sharebymail', 'settings-admin');
+style('sharebymail', 'settings-admin');
 ?>
 <div id="ncShareByMailSettings" class="section">
 	<h2><?php p($l->t('Share by mail')); ?></h2>
@ -11,7 +12,9 @@ script('sharebymail', 'settings-admin');

 	<p>
 		<input id="sendPasswordMail" type="checkbox" class="checkbox" <?php if($_['sendPasswordMail']) p('checked'); ?> />
-		<label for="sendPasswordMail"><?php p($l->t('Send password by mail')); ?></label>
+		<label for="sendPasswordMail"><?php p($l->t('Send password by mail')); ?></label><br/>
+		<input id="enforcePasswordProtection" type="checkbox" class="checkbox" <?php if($_['enforcePasswordProtection']) p('checked'); ?> />
+		<label for="enforcePasswordProtection"><?php p($l->t('Enforce password protection')); ?></label>
 	</p>

 </div>
--- a/apps/sharebymail/tests/SettingsTest.php
+++ b/apps/sharebymail/tests/SettingsTest.php
@ -24,6 +24,7 @@ namespace OCA\ShareByMail\Tests;


 use OCA\ShareByMail\Settings;
+use OCA\ShareByMail\Settings\SettingsManager;
 use Test\TestCase;

 class SettingsTest extends TestCase  {
@ -31,10 +32,15 @@ class SettingsTest extends TestCase  {
 	/** @var  Settings */
 	private $instance;

+	/** @var  SettingsManager | \PHPUnit_Framework_MockObject_MockObject */
+	private $settingsManager;
+
 	public function setUp() {
 		parent::setUp();

-		$this->instance = new Settings();
+		$this->settingsManager = $this->getMockBuilder(SettingsManager::class)
+			->disableOriginalConstructor()->getMock();
+		$this->instance = new Settings($this->settingsManager);
 	}

 	public function testAnnounceShareProvider() {
@ -61,4 +67,30 @@ class SettingsTest extends TestCase  {
 		$this->assertSame($after, $before);
 	}

+
+	public function testAnnounceShareByMailSettings() {
+		$this->settingsManager->expects($this->once())->method('enforcePasswordProtection')->willReturn(true);
+		$before = [
+			'oc_appconfig' =>
+				json_encode([
+					'key1' => 'value1',
+					'key2' => 'value2'
+				]),
+			'oc_foo' => 'oc_bar'
+		];
+
+		$after = [
+			'oc_appconfig' =>
+				json_encode([
+					'key1' => 'value1',
+					'key2' => 'value2',
+					'shareByMail' => ['enforcePasswordProtection' => true]
+				]),
+			'oc_foo' => 'oc_bar'
+		];
+
+		$this->instance->announceShareByMailSettings(['array' => &$before]);
+		$this->assertSame($after, $before);
+	}
+
 }
--- a/apps/sharebymail/tests/ShareByMailProviderTest.php
+++ b/apps/sharebymail/tests/ShareByMailProviderTest.php
@ -23,10 +23,12 @@
 namespace OCA\ShareByMail\Tests;


+use OC\CapabilitiesManager;
 use OC\Mail\Message;
 use OCA\ShareByMail\Settings\SettingsManager;
 use OCA\ShareByMail\ShareByMailProvider;
 use OCP\Defaults;
+use OCP\Files\File;
 use OCP\Files\IRootFolder;
 use OCP\IDBConnection;
 use OCP\IL10N;
@ -36,6 +38,7 @@ use OCP\IUser;
 use OCP\IUserManager;
 use OCP\Mail\IEMailTemplate;
 use OCP\Mail\IMailer;
+use OCP\Security\IHasher;
 use OCP\Security\ISecureRandom;
 use OCP\Share\IManager;
 use OCP\Share\IShare;
@ -88,6 +91,12 @@ class ShareByMailProviderTest extends TestCase {
 	/** @var Defaults|\PHPUnit_Framework_MockObject_MockObject */
 	private $defaults;

+	/** @var  IHasher | \PHPUnit_Framework_MockObject_MockObject */
+	private $hasher;
+
+	/** @var  CapabilitiesManager | \PHPUnit_Framework_MockObject_MockObject */
+	private $capabilitiesManager;
+
 	public function setUp() {
 		parent::setUp();

@ -109,6 +118,8 @@ class ShareByMailProviderTest extends TestCase {
 		$this->activityManager = $this->getMockBuilder('OCP\Activity\IManager')->getMock();
 		$this->settingsManager = $this->getMockBuilder(SettingsManager::class)->disableOriginalConstructor()->getMock();
 		$this->defaults = $this->createMock(Defaults::class);
+		$this->hasher = $this->getMockBuilder(IHasher::class)->getMock();
+		$this->capabilitiesManager = $this->getMockBuilder(CapabilitiesManager::class)->disableOriginalConstructor()->getMock();

 		$this->userManager->expects($this->any())->method('userExists')->willReturn(true);
 	}
@ -134,7 +145,9 @@ class ShareByMailProviderTest extends TestCase {
 					$this->urlGenerator,
 					$this->activityManager,
 					$this->settingsManager,
-					$this->defaults
+					$this->defaults,
+					$this->hasher,
+					$this->capabilitiesManager
 				]
 			);

@ -154,7 +167,9 @@ class ShareByMailProviderTest extends TestCase {
 			$this->urlGenerator,
 			$this->activityManager,
 			$this->settingsManager,
-			$this->defaults
+			$this->defaults,
+			$this->hasher,
+			$this->capabilitiesManager
 		);

 	}
@ -167,15 +182,22 @@ class ShareByMailProviderTest extends TestCase {

 	public function testCreate() {
 		$share = $this->getMockBuilder('\OCP\Share\IShare')->getMock();
-		$share->expects($this->once())->method('getSharedWith')->willReturn('user1');
+		$share->expects($this->any())->method('getSharedWith')->willReturn('user1');
+
+		$node = $this->getMockBuilder(File::class)->getMock();
+		$node->expects($this->any())->method('getName')->willReturn('filename');

-		$instance = $this->getInstance(['getSharedWith', 'createMailShare', 'getRawShare', 'createShareObject', 'createActivity']);
+		$instance = $this->getInstance(['getSharedWith', 'createMailShare', 'getRawShare', 'createShareObject', 'createShareActivity', 'sendPassword']);

 		$instance->expects($this->once())->method('getSharedWith')->willReturn([]);
 		$instance->expects($this->once())->method('createMailShare')->with($share)->willReturn(42);
-		$instance->expects($this->once())->method('createActivity')->with($share);
+		$instance->expects($this->once())->method('createShareActivity')->with($share);
 		$instance->expects($this->once())->method('getRawShare')->with(42)->willReturn('rawShare');
 		$instance->expects($this->once())->method('createShareObject')->with('rawShare')->willReturn('shareObject');
+		$instance->expects($this->any())->method('sendPassword')->willReturn(true);
+		$share->expects($this->any())->method('getNode')->willReturn($node);
+		$this->settingsManager->expects($this->any())->method('enforcePasswordProtection')->willReturn(false);
+		$this->settingsManager->expects($this->any())->method('sendPasswordByMail')->willReturn(true);

 		$this->assertSame('shareObject',
 			$instance->create($share)
@ -273,6 +295,7 @@ class ShareByMailProviderTest extends TestCase {
 		$uidOwner = 'user2';
 		$permissions = 1;
 		$token = 'token';
+		$password = 'password';


 		$instance = $this->getInstance();
@ -286,7 +309,8 @@ class ShareByMailProviderTest extends TestCase {
 				$sharedBy,
 				$uidOwner,
 				$permissions,
-				$token
+				$token,
+				$password
 			]
 		);

@ -305,6 +329,7 @@ class ShareByMailProviderTest extends TestCase {
 		$this->assertSame($uidOwner, $result[0]['uid_owner']);
 		$this->assertSame($permissions, (int)$result[0]['permissions']);
 		$this->assertSame($token, $result[0]['token']);
+		$this->assertSame($password, $result[0]['password']);

 	}

@ -636,7 +661,7 @@ class ShareByMailProviderTest extends TestCase {
 		$userManager = \OC::$server->getUserManager();
 		$rootFolder = \OC::$server->getRootFolder();

-		$provider = $this->getInstance(['sendMailNotification', 'createActivity']);
+		$provider = $this->getInstance(['sendMailNotification', 'createShareActivity']);

 		$u1 = $userManager->createUser('testFed', md5(time()));
 		$u2 = $userManager->createUser('testFed2', md5(time()));
@ -678,7 +703,7 @@ class ShareByMailProviderTest extends TestCase {
 		$userManager = \OC::$server->getUserManager();
 		$rootFolder = \OC::$server->getRootFolder();

-		$provider = $this->getInstance(['sendMailNotification', 'createActivity']);
+		$provider = $this->getInstance(['sendMailNotification', 'createShareActivity']);

 		$u1 = $userManager->createUser('testFed', md5(time()));
 		$u2 = $userManager->createUser('testFed2', md5(time()));
--- a/1
+++ b/1
@ -0,0 +1 @@
+Subproject commit a1157abb8a37862f87f5012317f9323113467737
--- a/core/js/shareconfigmodel.js
+++ b/core/js/shareconfigmodel.js
@ -29,6 +29,7 @@
 			isMailShareAllowed: oc_appconfig.shareByMailEnabled !== undefined,
 			defaultExpireDate: oc_appconfig.core.defaultExpireDate,
 			isResharingAllowed: oc_appconfig.core.resharingAllowed,
+			isPasswordForMailSharesRequired: (oc_appconfig.shareByMail === undefined) ? false : oc_appconfig.shareByMail.enforcePasswordProtection,
 			allowGroupSharing: oc_appconfig.core.allowGroupSharing
 		},

--- a/core/js/sharedialogshareelistview.js
+++ b/core/js/sharedialogshareelistview.js
@ -100,7 +100,7 @@
 					'{{/if}}' +
 					'<li>' +
 						'<span class="shareOption menuitem">' +
-							'<input id="password-{{cid}}-{{shareId}}" type="checkbox" name="password" class="password checkbox" {{#if isPasswordSet}}checked="checked"{{/if}}" />' +
+							'<input id="password-{{cid}}-{{shareId}}" type="checkbox" name="password" class="password checkbox" {{#if isPasswordSet}}checked="checked"{{/if}}{{#if isPasswordSet}}{{#if isPasswordForMailSharesRequired}}disabled=""{{/if}}{{/if}}" />' +
 							'<label for="password-{{cid}}-{{shareId}}">{{passwordLabel}}</label>' +
 							'<div class="passwordContainer-{{cid}}-{{shareId}} {{#unless isPasswordSet}}hidden{{/unless}}">' +
 							'    <label for="passwordField-{{cid}}-{{shareId}}" class="hidden-visually" value="{{password}}">{{passwordLabel}}</label>' +
@ -268,6 +268,7 @@
 				crudsLabel: t('core', 'Access control'),
 				triangleSImage: OC.imagePath('core', 'actions/triangle-s'),
 				isResharingAllowed: this.configModel.get('isResharingAllowed'),
+				isPasswordForMailSharesRequired: this.configModel.get('isPasswordForMailSharesRequired'),
 				sharePermissionPossible: this.model.sharePermissionPossible(),
 				editPermissionPossible: this.model.editPermissionPossible(),
 				createPermissionPossible: this.model.createPermissionPossible(),
--- a/lib/private/Share20/ProviderFactory.php
+++ b/lib/private/Share20/ProviderFactory.php
@ -23,6 +23,7 @@
 */
 namespace OC\Share20;

+use OC\CapabilitiesManager;
 use OCA\FederatedFileSharing\AddressHandler;
 use OCA\FederatedFileSharing\DiscoveryManager;
 use OCA\FederatedFileSharing\FederatedShareProvider;
@ -160,7 +161,9 @@ class ProviderFactory implements IProviderFactory {
 				$this->serverContainer->getURLGenerator(),
 				$this->serverContainer->getActivityManager(),
 				$settingsManager,
-				$this->serverContainer->query(Defaults::class)
+				$this->serverContainer->query(Defaults::class),
+				$this->serverContainer->getHasher(),
+				$this->serverContainer->query(CapabilitiesManager::class)
 			);
 		}