Password Plugin option password_hosts does not work as expected

[cadmi]

I'm trying to restrict the ability of change password within Roundcube for some domains due to client requests.
According to the config.inc.php file, I just needed to add an array of domains that are allowed to use the plugin.

However, the password_hosts setting appears to only work with two values "null" or "array('localhost');

On checking the password.php, it seems that the password_hosts are checked against the storage host (which appears to always be localhost) rather than the user's domain.

The password_hosts restriction works as I expected if  I substitute line 372 in the current master password.php with these

Code: [Select]

       
  $user_domain = substr(strrchr($_SESSION['username'], "@"), 1);
  if (!empty($hosts) && !in_array($user_domain, $hosts)) {
  //if (!empty($hosts) && !in_array($_SESSION['storage_host'], $hosts)) {

Is this therefore a bug, or I am just mistaken about what the password_hosts option is supposed to do, which is restrict based on physical host and not user domain?

[alec]

The option is password_hosts not password_domains, right?

[cadmi]

The option is password_hosts not password_domains, right?

Yes, but since the host is always "localhost" as it is a web-based client, would that not make the option pretty much pointless?

[JohnDoh]

The host is not always localhost, it could be anything. The idea is to disable the password plugin when the user is connected to a storage host for which the roundcube install cannot change passwords.

For example you might have some users who connect to a storage host on localhost but others who connect to another.imap.server and you have no way of changing passwords on another.imap.server and so the option can be disabled.

Enabling/disabling the password options per user is simply too granular for general settings.

[alec]

If all accounts are on the same mail host I don't see a point in limiting password change to some of them. The password_hosts option is useful when you have more than one mail host, and e.g. one does not support password change (or uses different "engine", etc.).

[cadmi]

If all accounts are on the same mail host I don't see a point in limiting password change to some of them. The password_hosts option is useful when you have more than one mail host, and e.g. one does not support password change (or uses different "engine", etc.).

Different clients have different corporate policies, not all of which make sense to us. In this case, the client requires their internal admin to set and track all assigned email passwords and do not allow their users to change their passwords. So they wanted to disable that option within roundcube. Seems unnecessarily troublesome to me especially since the administrator would had been able to reset any "unauthorized" passwords anyway, but they are the ones paying the bill.

I've modified the source on the server to achieve this for now but that means repeating the changes every upgrade. I don't suppose it would be an acceptable feature request to ask for an additional option like password_deny_domains, even if I provide the required code changes?

[alec]

You should be able to write a plugin which disables/enables other plugins.