I'm trying to restrict the ability of change password within Roundcube for some domains due to client requests.
According to the config.inc.php file, I just needed to add an array of domains that are allowed to use the plugin.
However, the password_hosts setting appears to only work with two values "null" or "array('localhost');
On checking the password.php, it seems that the password_hosts are checked against the storage host (which appears to always be localhost) rather than the user's domain.
The password_hosts restriction works as I expected if I substitute line 372 in the current master password.php with these
$user_domain = substr(strrchr($_SESSION['username'], "@"), 1);
if (!empty($hosts) && !in_array($user_domain, $hosts)) {
//if (!empty($hosts) && !in_array($_SESSION['storage_host'], $hosts)) {
Is this therefore a bug, or I am just mistaken about what the password_hosts option is supposed to do, which is restrict based on physical host and not user domain?