Add impersonation feature for admins to webmail #3163
Conversation
|
Thanks for submitting this pull request. bors try Note: if this build fails, read this. |
tryBuild succeeded: |
There was a problem hiding this comment.
This PR looks interesting. I can imagine that many people find this an interesting feature.
The functionality appears to work fine. When trying to visit the webmail/ url when logged in with a non-admin user, you receive a 403 error (As expected).
Since new elements are added to the UI (extra buttons for a user on the user list), it must be added to the documentation.
webadminstration.rst. More specifically here:
Mailu/docs/webadministration.rst
Line 315 in efb3892
When using roundcube a banner is displayed in top with the information that you are impersonating an user. However this is missing for snappymaill.
If you don't know how to add a banner for SnappyMail, then I recommend creating a discussion here asking how to do this:
https://github.com/the-djmaze/snappymail/discussions
bdb7128 to
b6b668c
Compare
Thank you for the suggestion. I know added the information on the new buttons to the documentation there.
Yes, I had skipped snappymail since I was unable to correctly configure it for local testing (see #3162). Having had a look again now into snappymail, it seems to me that snappymail does not provide a straight-forward API to easily add a simple banner when logged in as another user the same way as with roundcibe. So I'm a bit skeptical whether the effort required to implement this analogously to roundcube is really worth it... @nextgens is adding the same banner to snappymail a hard requirement for this PR? Would there be maybe another way than a banner to notify the user which may be easier to implement in snappymail? And besides this: is there anything else blocking this PR from being merged? |
|
Can't we just frame the webmails when impersonation is in use? |
b6b668c to
a8dbc5c
Compare
|
@nextgens I (rebased and) added a PoC for a framed webmail with impersonation in a8dbc5c. But in my opinion framing does not provide the best user experience and can be confusing. Because the webmailer will use the same session cookie with and without framing. So having an open tab with the admin user's normal mailbox while opening another user's mailbox with impersonation will also switch the session in the open tab to the other user's mailbox - but without the alert. Also, having the impersonated mailbox opened in a frame (especially when keeping the mailu admin navigation as in this PoC, but that can easily be removed, though) could imply to the user that impersonation is only active in that window... So, I'd rather let the webmailer itself handle everything instead. But let me know which route you want to go here, and I can update the PR accordingly. |
|
@nextgens anything I can do to move this PR forward? |
|
bors try |
tryBuild succeeded: |
Those are good points; We do not want that. Would it be doable/better to have a separate 'virtual' path for each webmail instance? So that one could open several tabs with different inboxes at the same time without having things breaking. Say redirect to
I wanted to try out framing as that is what would be maintenance free; I am not opposed to doing it differently. If the visual indication is in the URL maybe we don't need the UX to change at all.
As is snappymail is broken (it sets some anti-framing headers). I'd love if you could try to make the parallel webmail session thing to work. In the future we would/could even offer all webmails by default ( |
see discussion in Mailu#3106
This allows admins to login to webmail as another user. The impersonating user is also passed to the webmail container in the X-Remote-Original-User header. see discussion in Mailu#3106
action=login has no effect without task=login so the authenticate hook was never actually called in these situations
Now the currently logged-in user might change when an admin user is impersonating another user. In that case roundcube must go trigger its internal login again.
This reverts commit 869c568.
see Mailu#3163 (comment) But this commit needs some more work and/or refactoring to be merged!
a8dbc5c to
2eea2a4
Compare
I implemented this with 2eea2a4. It is working but I'm not sure if it really is worth it because it requires a lot of additional complexity for the integration: First, for the webmail to be available under multiple URLs we not only need to make it available with different base URLs but even under dynamic base URLs to include the e-mail address. Mailu/core/nginx/conf/nginx.conf Line 205 in 2eea2a4 Mailu/core/nginx/conf/nginx.conf Line 275 in 2eea2a4 This then has to be handled by nginx as well as the PHP code: Mailu/webmails/nginx-webmail.conf Line 53 in 2eea2a4
Yes, having different path for each mailbox this is possible by using Another problem was that Mailu/core/nginx/conf/nginx.conf Lines 261 to 262 in 2eea2a4 Mailu/core/nginx/conf/nginx.conf Lines 329 to 332 in 2eea2a4 All of this already adds much complexity. Additionally it probably also still requires some refactoring on how the valid webmail token(s) are stored in the session. Because up until now there is always only one valid token in the session and previously we differentiated the user (original user or impersonated user) by storing the e-mail in the session as well. But now there could be multiple valid e-mail/token combinations. If this solution should be used, I can try to polish up the commits again, so what do you think? |
|
@nextgens after thinking about it a bit more: having a dedicated proxied path for impersonated webmail is actually quite neat and provides the best UX be even allowing to have two different mailboxes open side by side in the same browser session. The issue with conflicting cookies in case when So it stand to reason whether the added complexity is really worth the result since it'll probably still be a rarely used feature... How best to proceed here? |
I am not sure I am following regarding overlapping paths; We could use proxy_cookie_path to ensure we maintain independent cookies with the same names but different paths, no?
I am not sure either |
Yes, this works and is utilized by this PR, see e.g. Mailu/core/nginx/conf/nginx.conf Lines 274 to 277 in 2eea2a4 But there is an edge case with With something like |
|
I don't see that as a problem: we won't be backporting the feature and personally I am okay with removing We are already instructing those that do run reverse proxies to forward everything for Mailu's FQDNs to Mailu. |
Is this already on the roadmap? Because I see these config options as a valuable feature and would want to see them gone - especially not for this 😅
Aside from this single edge case me neither. Even keeping the So anyway, should I then proceed with the necessary changes to cleanup the storage of tokens in the session so we can bring this PR to a merge? |
What type of PR?
Feature
What does this PR do?
This adds a button to the user list for admins to open the webmailer as another user.
Related issue(s)
Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.
In case of feature or enhancement: documentation updated accordingly