The main thing for my use is being able to hit something from inside of Roundcube (which my curl- response scraping, slightly-adjusted LeeWells Roundcube–Virtualmin-Plugin–Driver, does).
Personally I have never thought much of password confirmation to change passwords in general (I get it that someone might hit the back button but I see that as an overkill provision for most things) and I am generally annoyed when I run into them (especially in the age of ‘my browser/OS makes up and stores my passwords for me’)… and I always think “Haven’t I already proven that I know my password, I’m looking at this page aren’t I?” (and my auto-password-filler never seems to recognize that it needs to fill this one so I have to go look it up, etc…)
If I had the time and expertise I might even try to hack out that confirmation bit from my current thing. I notice that enabling the “Password” button in Roundcube doesn’t automatically have it, so it must be a provision of the Roundcube driver.
In general though, yes. “Reset your password” links seem common enough that everyday civilians understand what they are and what to do about them. If there were a way to send something like that from inside of Roundcube I would probably lean toward that if only because it seems likely to be faster than waiting around for curl to login as the user and less likely to blow-up with a Virtualmin update.
An innate solution might also be superior to my current “forgot password” hack which combines Roundcube with another thread (Webmin Virtualmin Password Recovery) and involves the webmin-virtualmin-password-recovery plugin, which itself puts an always-present “Forgot Your Password?” button on the Webmin/Usermin login page. You now get “Login Failed: Forgot your password?” and if you click its link you are taken to the virtualmin-password-recovery plugin page (or rather a stripped down version of that which only offers to send you a password reset link).
(Clicking "Forgot your password:)
Something a little prettier, maybe that knows what domain you are and has it hard-filled so that the user only has to enter their login, and the page only accepts requests for its own domain’s users (currently I can visit anothertest.com’s virtualmin password recovery and ask it to send someone@changepasswordtest.com a password recovery link, which is minor but still), like:
Password reset for: [LOGIN-BOX] @anothertest.com
(With that @anothertest.com being unchangeable and culled from the site you are at, would be nice.)
Some kind of “must have been redirected from here” list/technology would be nice as well. The current plugin version can be visited from anywhere by anyone who knows the path so it seems plausible that some miscreant will eventually abuse this and send new password links to as many email addresses as he can guess rightly.
(I plan to add a “How to Add A Forgot Your Password Link to Roundcube” thread in case it ever comes in handy for anyone, or I don’t remember well enough to easily replicate it later on… since this one involves altering Roundcube’s index.php, which seems likely to change over versions. You have mentioned working on building password resetting into Usermin in that other thread so I was waiting to see what that version looks like before writing it up.)