Roadmap

[factor]

What user are people going to be "auto" logging into phpMyAdmin and Webmail with?

User:
Like in the User Side of Cpanel. When you are already logged in you can be automatically be taken into your email account. You can also go to the email area and choose an account and it will just open for you. It knows the password you set for Webmail or PMA. Since you already authenticated to the Panel.

Same with going to PMA inside the user side of cpanel. You can just click on PMA and it opens. All because you are already logged in.

 

[sparek]

User:
Like in the User Side of Cpanel. When you are already logged in you can be automatically be taken into your email account. You can also go to the email area and choose an account and it will just open for you. It knows the password you set for Webmail or PMA. Since you already authenticated to the Panel.

Same with going to PMA inside the user side of cpanel. You can just click on PMA and it opens. All because you are already logged in.

I think that's a derivative of cPanel's security model of running processes at escalated privileges. To my knowledge, DirectAdmin doesn't follow that model so I don't know if that's going to be possible.

The control panel user can still change the password to the email account... but it can't actually log into the email account. (Although, it can still read the mail).

From the standpoint of DirectAdmin... this would seem to have to be something that they would have to spend time developing and I just don't know if it's worth that amount of effort. (or maybe it is... I really don't know).

From a security stand point... any where where you automatically get logged in... that's a security concern. Because that information is stored some where. Do you have your username and password for this DirectAdmin forum saved in your browser? It's stored some where on your computer then. All it takes is a trojan or rogue program to run on your computer or device and find where that information is stored and then it can send your log information to whoever it wants to. That would be my concern with any auto login system.

 

[factor]

I don't know if that's going to be possible.

I don't think any of us do know about that. Hence why its a request..

I just don't know if it's worth that amount of effort.

Again none of us do we didn't program DA. If you don't ask you don't receive.

I look at it as opportunity for constructive growth. They are a company and we are the clients. So we ask.. They say yes or no. We are just dialoging.

 

[sparek]

I look at it as opportunity for constructive growth. They are a company and we are the clients. So we ask.. They say yes or no. We are just dialoging.

That's true and that's fair.

I just believe in constructive criticism, if you want to call it that. Whether it's in the boardroom, executive session, or here on a forum - hearing the negative side of something can provide perspective on an issue. That doesn't mean the negatives outweighs the positives or anything like that. But it adds perspective.

I think one of the growing issues I had with cPanel over the past few years was the growing sentiment to never listen to the negatives. Feature requests would come through that - and maybe it was just my opinion - I didn't see a lot of value in those features. But yet, time was spent developing those features. Was enough perspective added in determining the feasibility of those features?

Feature requests tend to be a lot like reviews.

Go to look up a review for a product... you're going to find a lot of negative reviews. Does that make the product bad? Not necessarily. People who are satisfied with the product don't have as much of a vested interested in providing a review versus someone who was unsatisfied with the product. Everybody that is unsatisfied with the product wants everybody else to know how horrible the product is.

Feature requests tend to entice the crowd that wants the feature to add to add their 2 cents. So you get a feature request with a lot of positive feedback but not necessarily a lot of critical thinking. If you have a feature request system with votes, a certain request might get 200 votes and you might think, wow there's a lot of people that want that feature. But if your user base is 20,000 ... that's 1%.

TL;DR - I'd just hate to see DirectAdmin go down the path that I think cPanel went down - and that's answering every little feature request possible. I'm fine with feature request. I'm fine with discussing them. But if it takes development time and effort away from other areas that need attention... I think a lot of times that's an unseen cost.

 

[Active8]

TL;DR - I'd just hate to see DirectAdmin go down the path that I think cPanel went down - and that's answering every little feature request possible. I'm fine with feature request. I'm fine with discussing them. But if it takes development time and effort away from other areas that need attention... I think a lot of times that's an unseen cost.

Totally agree with this , for lot of early DA adapters was the simplicity and clean panel the reason to choose for DA instead of cPanel
I don't want see DA a becoming a fork of cPanel

 

[LawsHosting]

But phpMyAdmin... how big of a case is this for non-DirectAdmin users? Why not just install phpMyAdmin on the publicly accessible area of the web hosting account for accounts that need this functionality?

What does this even mean? You mean on their own domain? Why would this be even safer than the way it is now, or different? They need to keep updating it.

 

[sparek]

What does this even mean? You mean on their own domain? Why would this be even safer than the way it is now, or different? They need to keep updating it.

This means...

Say you have a server with 300 accounts on it.

Only 1 of those accounts has a need for a publicly facing phpMyAdmin. The other 299 could care less or just use the one from the DirectAdmin User panel.

Why should those 299 have to worry with exploits knowing that a potential attacker could just go to /phpmyadmin and attempt to access any database on the server?

Why should DirectAdmin developers spend time adding this to the DirectAdmin core if 299 out of 300 don't really need it?

If one person needs phpMyAdmin to be publicly accessible... that one person can install it on the publicly facing part of their web hosting account. Yes, it will have to be kept up-to-date... but that's part of the responsibility of installing the script. If the person needs it that bad... they are going to have to bear a lot of the burden.

 

[DewlanceVPS]

Autologin of phpMyAdmin/Webmail and roadmap feature will be good for us.

It will be good to see whats happening on DA and don't need to ask.

 

[LawsHosting]

f one person needs phpMyAdmin to be publicly accessible... that one person can install it on the publicly facing part of their web hosting account. Yes, it will have to be kept up-to-date

Or...... Let admins rename the phpmyadmin directory as an option in directadmin.conf........ Then, that'll help deter brute-force attacks......

Doesn't make it more secure if this auto-login does pass through btw, but still... an option..

 

[aitorserra]

I vote for auto-login to phpmyadmin and mail accounts, thank you.

 

[Richard8]

wAAPGQ

I am definitely in favor of:

Auto login to Phpmyadmin (speed up development, one less login to enter when I'm coding and need quick access)

Auto login to Webmail (especially for the Admin user to be able to login to any email without needing to reset or know the password. Sure, I can go into the folders in Terminal but if you let me switch users (Login as) you should let me enter emails passwordless too as admin.

DirectWebmail
Some basic standalone options for "email" or "email-only" users where you have a small version of DirectAdmin panel with basic options, such as Change Password, Enable 2FA (maybe?), Adjust SpamAssassin based on options (either full rules, or just what DA already has like subject rewrite, threshold, etc.). Most importantly, the ability to get all the email settings. Even if it doesn't come in a pretty Outlook config or Android or whatever, as long as the user knows that they need to type theirname .com or mail.theirname, and reminder that the email address is also the username, WITH the @ sign (if I had a penny for every time I had to point out this....).

Now, this is NOT to clone cPanel. In fact, there are many panels that have email options built in which are separate from giving the user their own giant panel, or making them a reseller just to manage some emails. My clients wouldn't know what to do with all these Reseller options if I told them to login and turn off SpamAssassin for their email because they think some important message is getting blocked.

 

[sparek]

Just realized that phpMyAdmin is not on the DirectAdmin side of things.

I don't particularly like that.

In my opinion... phpMyAdmin should only be accessible through the port 2222 backend. If an end-user wants to install a separate phpMyAdmin and make it publicly accessible on their site, that's their prerogative.

But I don't particularly like the link to phpMyAdmin in the user's control panel to link outside of port 2222 to a port 80 or port 443 version of a DirectAdmin controlled phpMyAdmin. I would prefer everything within the control panel (and admin and reseller panels) to be self-contained. Aside from webmail - which I might refer to as an exception but not the rule.

Auto-login... I'm not going to get too bent out of shape in regards to that. I'm fine with forcing a control panel user to log in again with their login information... obviously if they are in the DirectAdmin user panel, then they know the username and password to log in with.

 

[ditto]

[..]In my opinion... phpMyAdmin should only be accessible through the port 2222 backend. If an end-user wants to install a separate phpMyAdmin and make it publicly accessible on their site, that's their prerogative.[..]

I have to disagree with you. On our shared hosting servers, we do not allow customers to install phpMyAdmin, because we would not expect them to upgrade every time there is a new version and security fix. So this is not a option for us, we do not allow customer to install phpMyAdmin.

Also, as said before. We want to continue to be able to offer phpMyAdmin outside of DirectAdmin, just like we have been doing for 10 years. I urge DirectAdmin to take current customers in consideration when/if changing this, so that we can have a option in directadmin.conf to continue to offer phpMyAdmin outside of the control panel. Some reasons:

Our customers need to be able to log into phpMyAdmin manually with the same username/password as their DirectAdmin account, this give them the benefit of managing all their databases in one/same login.

Also when customers hire external developers for their site, they give the developer the database username and password, and create a FTP account for them, then they do not need to give the developer access to DirectAdmin control panel, but instead only limited access to phpMyAdmin (one database) and FTP.

Also, for 10 years we have informed our customers WHERE to login to phpMyAdmin (at server.hostname.com/phpmyadmin), and we do not want any sudden change for this.

Of course DirectAdmin can limit access to phpMyAdmin to be behind 2222, I only ask for them to take current customers in consideration and offer a option in directadmin.conf so that we can continue to offer phpMyAdmin outside of DirectAdmin.

I am tired of this discussion. This will be my last reply, and I hope DirectAdmin developers also can respect current long time customers in this regard.

Also, as said in another thread: Generally, I think DirectAdmin developers should take a pause for thought, there is no need to try to make a cPanel clone. Everybody from cPanel want everything to be the same as before, but give them some time to get used to DirectAdmin before to many drastically changes are made.

 

[woktron]

I'm sure it will be a fine balancing act to align the wishes of longterm DA users with those coming from cPanel.

As longterm DA users we'd lose quite a substantial part of our customers if webmail could only be accessed from the panel, so I'd favor to only include this as an option if it needs to be included at all. We host lots of small businesses that rely on this functionality on a daily basis. Having to login to (a minimal version of) DA before being able to access webmail also sounds horribly convoluted. phpmyadmin autologin does sound handy, but again it should be optional. There are times where you may want to give a third party access.

Honestly, I'm all for improvements and feature additions but the last thing I'd want is for DirectAdmin to be overcome by feature bloat and to completely take over a server. There is a reason why users picked DirectAdmin over cPanel and it is because the panel is lean and nimble. You are still given the opportunity to administer your server without having to deal with cPanels idiosyncrasies.

So yes, by all means do move forward but please do keep in mind the lean aspect of DA.

Having said that, I'd like to see:

- incremental backups (the current feature set as well as 3rd party plugins are not sufficient)
- better Autodiscovery for mail clients
- a security audit. The cPanel restore functionality might open up a number of security issues.
- HA / clustering
- improved installation routine. Nothing wrong with the current install process, but if some of the more common post install actions could be included, then that would be great!

 

[sparek]

Well, in my opinion... and to be blunt... I think the decision to put phpMyAdmin on the front-end web server was a bad idea. And I think this underscores why it's so important to take time and consider all avenues when looking at a feature request. I've been there. From a developer's point of view - adding a feature you envision it being used a certain, certain way. But then when it actually gets out in public, it's used an entirely different way. It's a whole lot easier to resolve issues in forethought than to have to backtrack months or years afterwards.

Again, using the example of phpMyAdmin here - I think it would be better served if it was only accessible in the back-end. But since it's on the front-end and has been for several years... removing it from the front-end is going to present problems because certain people are used to accessing it this way.

I'm not sure how you will be able to implement an auto-login with it being on the front-end.

Reasons why I think this decision was a bad idea:

1) What link does the phpMyAdmin link in the user's panel link to? Is it always https? What if that domain name doesn't have a secure certificate?

2) What if the front-end PHP is upgraded or otherwise changed in such a way that phpMyAdmin then fails to function?

3) What if the web-server on the front-end is changed in such a way that phpMyAdmin fails to function?

4) What if a vulnerability is discovered in phpMyAdmin that allows information to leak out? With this being on the front-end it is much easier for non-panel clients to potentially exploit this.

5) I still stand on ... if a particular website wants phpMyAdmin to be public facing, they always had the option to install it themselves on the public facing portion of their account. And unless you are physically checking every account every day or every hour... how are you going to know that your end-users aren't installing it themselves?

6) Generally, I'm just opposed to anything on the back-end (i.e. the user's panel) relying on anything on the front-end (i.e. port 80 and port 443 webservers) because then the back-end does not become self-contained. The one exception perhaps being webmail - although I'm not sure how vital that is to anything on the back-end.

Now... having said all of that. Given that phpMyAdmin has been on the front-end for some time with DirectAdmin - I don't think you can remove it from the frontend now. We'll just have to deal with this the best way we can.

But what I would encourage all to take away from this is the importance of thinking things through thoroughly. Just because someone has an idea for a neat feature doesn't mean it has to be implemented with zero thought going into the feature. I'm in agreement with @woktron that there may be other feature requests that need more urgent attention - but even so I would encourage a lot of thought to go into any feature, no matter how small.

 

[ditto]

1) What link does the phpMyAdmin link in the user's panel link to? Is it always https? What if that domain name doesn't have a secure certificate?

It is always https if you have configured it to be https. That is the choice of the server admin. It would link to server.hostname.com/phpmyadmin (unless you have configured it in another way).

2) What if the front-end PHP is upgraded or otherwise changed in such a way that phpMyAdmin then fails to function?

phpMyAdmin is frequently updated and developed to support the newest versions of Apache and PHP. If phpMyAdmin not yet support a new major PHP version, that indicate that you have upgraded to the new PHP version to soon, and should hold off updating to the newest PHP version for a few more months.

3) What if the web-server on the front-end is changed in such a way that phpMyAdmin fails to function?

Well, that is your responsibility as a server admin to make sure don't happen.

4) What if a vulnerability is discovered in phpMyAdmin that allows information to leak out? With this being on the front-end it is much easier for non-panel clients to potentially exploit this.

DirectAdmin has setup phpMyAdmin with htpasswd on the login page, that means you will not be able to exploit security vulnerabilities without first login to phpMyAdmin.

5) I still stand on ... if a particular website wants phpMyAdmin to be public facing, they always had the option to install it themselves on the public facing portion of their account. And unless you are physically checking every account every day or every hour... how are you going to know that your end-users aren't installing it themselves?

As said we do not allow customers to install phpMyAdmin, and from time to time we scan our servers for phpMyAdmin, just like we scan our servers for other scripts that is not secure or outdated.

6) Generally, I'm just opposed to anything on the back-end (i.e. the user's panel) relying on anything on the front-end (i.e. port 80 and port 443 webservers) because then the back-end does not become self-contained. The one exception perhaps being webmail - although I'm not sure how vital that is to anything on the back-end.

I don't know if this was meant as a question. However as said many times, we do not want phpMyAdmin to be hosted behind port 2222, we need it to be public facing like it has been since year 2003. I would not want the back-end to become self-contained, phpMyAdmin and Roundcube webmail is not developed by DirectAdmin, and there is no need to try to melt it all together, it would just end up being a lot of bloatware, just like cPanel has become.

 

[LawsHosting]

Please stop going over and over about the same thing..... Very monotonous.

DA is DA, cPanel is cPanel..... Stop trying to get into the idea that DA will be like cPanel.... Never will be.....

Get used to DA or pay the ridiculous price of cPanel...... Simple

 

[kang28ivan]

Please stop going over and over about the same thing..... Very monotonous.

DA is DA, cPanel is cPanel..... Stop trying to get into the idea that DA will be like cPanel.... Never will be.....

Get used to DA or pay the ridiculous price of cPanel...... Simple

I understand your words, but most hosting users are familiar with Cpanel, and I agree with what was discussed earlier that this would be better if given the option to enable auto login or disable it.

I have experienced it a few days ago after migrating from cpanel, some of client have difficulty logging into phpmyadmin and have to open wp-config.php first to see their database user and password. it is not a big problem if only have 1 database account, but if in one account you have a lot of databases it will be tiring. I only feel that if I am also a hosting user, and not only Cpanel have auto login to phpmyadmin, but the new control panel like cwp and cyberpanel has implemented it.

which determine the DA developer and we just wait for whether it will be implemented or not, it's up to them. We as customers are also entitled to request features if it is expected to be useful.

 

[ditto]

[..]I have experienced it a few days ago after migrating from cpanel, some of client have difficulty logging into phpmyadmin and have to open wp-config.php first to see their database user and password. it is not a big problem if only have 1 database account, but if in one account you have a lot of databases it will be tiring.[..]

Just instruct your users to login to phpMyAdmin with the same username/password they use when they log into DirectAdmin, then they will have all the databases available in phpMyAdmin in the same login.

 

[kang28ivan]

Just instruct your users to login to phpMyAdmin with the same username/password they use when they log into DirectAdmin, then they will have all the databases available in phpMyAdmin in the same login.

I know, but you must be able to position yourself as a hosting customer.
most customers will not remember the password to login control panel, even when still on cpanel. talking is easy but in reality it's not that easy