Merge #2005

2005: SESSION_COOKIE_SECURE and HTTP won't work; make it explicit by displaying an alert r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Display an explicit alert and disable the login form (using javascript) when we have SESSION_COOKIE_SECURE=True and clients using HTTP to access it.

### Related issue(s)
- close #1996

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>

core/admin/assets/app.js

@@ -66,5 +66,12 @@ $('document').ready(function() {
     // init clipboard.js
     new ClipboardJS('.btn-clip');
 
+    // disable login if not possible
+    var l = $('#login_needs_https');
+    if (l.length && window.location.protocol != 'https:') {
+        l.removeClass("d-none");
+        $('form :input').prop('disabled', true);
+    }
+
 });
 

core/admin/mailu/ui/templates/login.html

@@ -7,3 +7,12 @@
 {%- block subtitle %}
 {% trans %}to access the administration tools{% endtrans %}
 {%- endblock %}
+
+{%- block content %}
+{% if config["SESSION_COOKIE_SECURE"] %}
+<div id="login_needs_https" class="alert alert-danger d-none" role="alert">
+{% trans %}The login form has been disabled as <b>SESSION_COOKIE_SECURE</b> is on but you are accessing Mailu over HTTP.{% endtrans %}
+</div>
+{% endif %}
+{{ super() }}
+{%- endblock %}

towncrier/newsfragments/1996.enhancement

@@ -0,0 +1 @@
+Disable the login page if SESSION_COOKIE_SECURE is incompatible with how Mailu is accessed as this seems to be a common misconfiguration.