Disabling functionality in Roundcube per user, domain or per role   October 7th, 2016

I recently did some investigations into Roundcube.

One task was to disable the files plugin for certain users.

The other task was to disable the option to export the full addressbook.

I had a look at the kolab_files plugin. In https://git.kolab.org/diffusion/RPK/browse/master/plugins/kolab_files/kolab_files.php you find these lines:

// the files module can be enabled/disabled by the kolab_auth plugin
if ($this->rc->config->get('kolab_files_disabled') || !$this->rc->config->get('kolab_files_enabled', true)) {
    return $this->engine = false;
}

So that led me to look at the kolab_auth plugin. See the following lines in the config file: https://git.kolab.org/diffusion/RPK/browse/master/plugins/kolab_auth/config.inc.php.dist

// Enable plugins on a role-by-role basis. In this example, the 'acl' plugin
// is enabled for people with a 'cn=professional-user,dc=mykolab,dc=ch' role.
//
// Note that this does NOT mean the 'acl' plugin is disabled for other people.
$config['kolab_auth_role_plugins'] = Array(
        'cn=professional-user,dc=mykolab,dc=ch' => Array(
                'acl',
            ),
    );

For example, I could implement both changes based on two roles, keinExportAddressbuch and keineFilesImRoundcube. The following lines can go into /etc/roundcubemail/kolab_auth.inc.php:

    $config['kolab_auth_role_settings'] =
        Array(
              'cn=keinExportAdressbuch,%dc' => Array(
                  'addressbook_export_disabled' => Array(
                      'mode' => 'override',
                      'value' => 'true',
                      'allow_override' => false
                  ),
              ),
               'cn=keineFilesImRoundcube,%dc' => Array(
                  'kolab_files_disabled' => Array(
                      'mode' => 'override',
                      'value' => 'true',
                      'allow_override' => false
                  ),
              ),
          );

Another option is the ude_login plugin which was written by Kolab Systems for Universität Duisburg-Essen. I have branched it and added small extensions, to also support disabling the kolab_files plugin. You can find my fork here: https://github.com/TBits/ude_login

With the ude_login plugin, you define in a text file which users should have which config settings. You can overwrite any variable in /etc/roundcubemail/config.inc.php.

For example:

# /etc/roundcubemail/enable_disable_per_user.txt
# attention: use tab to seperate the columns in this file!
sampleuser      default_host=localhost  smtp_server=localhost   enable_plugins=acl,managesieve,zipdownload      disable_plugins=calendar
anotheruser     default_host=example.net        smtp_server=mail.example.net    enable_plugins=acl
@nofiles.de  disable_plugins=calendar,kolab_files    addressbook_export_disabled=true

You can specify a user by his UID, but also by email address, and for a whole domain. That way I can specify a settings for all users at a given domain, eg nofiles.de.

I can disable plugins, which are implemented here: https://github.com/TBits/ude_login/blob/master/ude_login.php#L87. Enabling plugins works the same way.

For the addressbook export, you can see I am already setting a variable addressbook_export_disabled=true. This variable is now as if I had added it in config.inc.php, but it applies only to the specified user(s).

You can see how I use that configuration variable in this patch: https://github.com/TBits/KolabScripts/blob/Kolab3.4/kolab/patches/optional_disable_addressbook_export.patch

For the backend, I can just write:

if ($RCMAIL->config->get('addressbook_export_disabled')) {
    die("Export of Addressbook has been disabled");
}

For the template, this is how to access the configuration variable:

<roundcube:if condition="config:addressbook_export_disabled:false == false">
 	<span class="dropbutton">
 		<roundcube:button command="export" type="link" class="button export disabled" classAct="button export" classSel="button export pressed" label="export" title="exportvcards" />
 		<a href="#export" class="dropbuttontip" id="exportmenulink" onclick="return UI.toggle_popup('exportmenu',event)" aria-haspopup="true" aria-expanded="false" aria-owns="exportmenu-menu" tabindex="0"><roundcube:label name="arialabelcontactexportoptions" /></a>
 	</span>
 
 	<span class="spacer"></span>
<roundcube:endif />

This gives us much more options to configure Roundcube to meet the specific requirements of customers.

Edit: another problem I was able to solve with the ude_login plugin was: the customer wanted to have different default settings for the server settings in Roundcube. Those settings are only set during the first login of the user to Roundcube. I did not want to change the settings for all customers, in config.inc.php. So I modified my file /etc/roundcubemail/enable_disable_per_user.txt:

# attention: use tabs to separate the columns
@specialdomain.com         read_when_deleted=true          flag_for_deletion=false         skip_deleted=false              delete_always=false     delete_junk=false       logout_purge=false      logout_expunge=false
Tags: ,
This entry was posted on Friday, October 7th, 2016 at 11:33 am and is filed under Software Development. You can follow any responses to this entry through the RSS 2.0 feed.Both comments and pings are currently closed.

No Responses