Present new user with Identities dialog - patch available

[drel]

RoundCube Webmail guessed wrong at my email address,
which meant any emails I sent out before visiting the
identities dialog would have the wrong return address
on them.

When a user first logs in, they should have the
opportunity to configure the default identity.

[jonwolf]

Logged In: YES 
user_id=1345465

I submitted a bug report (1292199) for this. I am pretty
sure this is related to users that have to login to their
IMAP server with their full email address. Fortunately,
RoundCube wouldn't let me send email until the address was
fixed, keeping me from sending mail with an incorrect return
address.

[drel]

Logged In: YES 
user_id=386120

That's correct; I log in to my Courier IMAP server with my
full email address.  A simplistic approach would be to check
for the presence of an @ symbol in the username, and to
assume the username is the full email address in that case.

I still think presenting the identities dialog on the first
login is a good idea.

[nobody]

Logged In: NO 

Displaying the identities dialog on a user's first logon
would be really great. I tested roundcube on my dad and it
took him quite some emails before he figured out how to get
his name in the "From:" field when he sent emails.

[jpingle]

Anyone care to try this quick patch I fixed up for this? It works for me, though I am sure there is room for improvement.

[jpingle]

Patch to edit identity on first login

[keesje76]

Wow, this is exactly what I was looking for.

I applied the patch "01/05/07" to Version 0.1-rc2.
Though the line numbers may slightly shift, the patch still applies perfectly.

I should opt for an show_message in edit_identity.inc, to warn the user that he/she needs to edit at least the email field.

Thanks, works like a charm!

Kees

​http://www.qspeed.nl

[alec]

Very old. I think we don't need it anymore.

[hayalci]

I think that functionality would be very useful, as many users forget setting their identity.

[hayalci]

Shows edit identity screen if the user is newly created. Only works when auto create user is true. -- update: a better place for $_SESSION

[roe1234]

It seems that on a fresh installation of .2 sending a message fails with "Message failed to send" the only thing the user sees, either a better error message or this bug should prevent frustration in the future. I vote for this bug and a better error message

[Zippy1970]

Seeing that this feature was requested 3 years ago and it still hasn't been implemented makes me believe the developers don't see the severity of the current situation. As it is right now, the chances RC creates a usable identity using $rcmail_configdefault_host? or virtusertable are slim to none for several reasons. But it does expose information that should never be exposed, namely the servername a user logs in to, and the usernames they use to do it. And that is a very severe security risk. Best case, it gives script-kiddies a reason to start brute-force attacks on a user account. Worst case it gives true hackers a very good starting point for compromising a server.

As it is right now, I wouldn't even think of actually using RC because of this security risk.

So I would like to add my request for this feature to the list. Don't let RC create a new identity, but at first login, present the user with the "Create Identity" screen. Also, don't even fill in the fields with "default" values. Too many users will simply accept the default values without thinking creating the same security risk. Force them to enter an identity themselves.

[thomasb]

Why are you talking about security issues and script kiddies? RC does not expose any details other than the credentials people need to configure their regular mail client.

With all the options like 'mail_domain', 'virtuser_file' or 'virtuser_query' it IS possible to get a correct identity created on the first login. Users are lazy and it's the administrators job to configure the services in a way that it creates valid defaults.

This doesn't mean that we don't see the need for such a feature and closing the request wasn't a good choice. However, presenting a blank form to the user is a contradiction to other requests that want to make some identity fields (like sender address) unchangeable or disable the possibility to create more than one identity.

[Zippy1970]

RC does not expose any details other than the credentials people need to configure their regular mail client.

Exactly. And I don't understand why you think that isn't a bad thing.

First of all, if the user leaves the identity as-is, RC will *always* expose the login name which in many cases is a true *nix account name, even if you use virtuser_file. virtuser_query requires an SQL database that isn't always there (not everybody uses control panels). Requiring the administrator to create and maintain such a database for the sole-purpose of preventing RC from exposing sensitive information is, I'm sorry to say, counter-productive to say the least. RC makes a lot of assumptions (virtusertable being available, login names not being true *nix account names, SQL databases being available).

I't OK to let RC *suggest* a default identity. But is should be optional and it should be confirmed by the user. The way it is now (let RC "guess" the identity and silently set it) is IMHO an absolute no-no.

You make it sound like it's one or the other. It's not. With a single boolean and a few extra conditional statements in your source you can easily make it so administrators can choose how they want it.

[thomasb]

Implemented as plugin trunk/roundcubemail/plugins/new_user_dialog