Add impersonation feature for admins to webmail #3163
Conversation
|
Thanks for submitting this pull request. bors try Note: if this build fails, read this. |
tryBuild succeeded: |
nextgens
added
type/security
There was a problem hiding this comment.
This PR looks interesting. I can imagine that many people find this an interesting feature.
The functionality appears to work fine. When trying to visit the webmail/ url when logged in with a non-admin user, you receive a 403 error (As expected).
Since new elements are added to the UI (extra buttons for a user on the user list), it must be added to the documentation.
webadminstration.rst. More specifically here:
Mailu/docs/webadministration.rst
Line 315 in efb3892
When using roundcube a banner is displayed in top with the information that you are impersonating an user. However this is missing for snappymaill.
If you don't know how to add a banner for SnappyMail, then I recommend creating a discussion here asking how to do this:
https://github.com/the-djmaze/snappymail/discussions
acran
force-pushed
the
feature/impersonation
branch
from
bdb7128
to
b6b668c
Compare
Thank you for the suggestion. I know added the information on the new buttons to the documentation there.
Yes, I had skipped snappymail since I was unable to correctly configure it for local testing (see #3162). Having had a look again now into snappymail, it seems to me that snappymail does not provide a straight-forward API to easily add a simple banner when logged in as another user the same way as with roundcibe. So I'm a bit skeptical whether the effort required to implement this analogously to roundcube is really worth it... @nextgens is adding the same banner to snappymail a hard requirement for this PR? Would there be maybe another way than a banner to notify the user which may be easier to implement in snappymail? And besides this: is there anything else blocking this PR from being merged? |
|
Can't we just frame the webmails when impersonation is in use? |
see discussion in Mailu#3106
This allows admins to login to webmail as another user. The impersonating user is also passed to the webmail container in the X-Remote-Original-User header. see discussion in Mailu#3106
action=login has no effect without task=login so the authenticate hook was never actually called in these situations
Now the currently logged-in user might change when an admin user is impersonating another user. In that case roundcube must go trigger its internal login again.
acran
force-pushed
the
feature/impersonation
branch
from
b6b668c
to
a8dbc5c
Compare
|
@nextgens I (rebased and) added a PoC for a framed webmail with impersonation in a8dbc5c. But in my opinion framing does not provide the best user experience and can be confusing. Because the webmailer will use the same session cookie with and without framing. So having an open tab with the admin user's normal mailbox while opening another user's mailbox with impersonation will also switch the session in the open tab to the other user's mailbox - but without the alert. Also, having the impersonated mailbox opened in a frame (especially when keeping the mailu admin navigation as in this PoC, but that can easily be removed, though) could imply to the user that impersonation is only active in that window... So, I'd rather let the webmailer itself handle everything instead. But let me know which route you want to go here, and I can update the PR accordingly. |
What type of PR?
Feature
What does this PR do?
This adds a button to the user list for admins to open the webmailer as another user.
Related issue(s)
Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
In case of feature or enhancement: documentation updated accordingly