Compare revisions

98fe5690 · 98fe5690 · 98fe5690 · 98fe5690 · 98fe5690 · 98fe5690
--- a/uffd/oauth2/templates/oauth2/logout.html
+++ b/uffd/oauth2/templates/oauth2/logout.html
-{% extends 'base.html' %}
+{% extends 'base_narrow.html' %}

 {% block body %}
-<div class="row mt-2 justify-content-center">
-	<div class="col-lg-6 col-md-10" style="background: #f7f7f7; box-shadow: 0px 2px 2px rgba(0, 0, 0, 0.3); padding: 30px;">
-		<div class="text-center">
-			<img alt="branding logo" src="{{ config.get("BRANDING_LOGO_URL") }}" class="col-lg-8 col-md-12" >
-		</div>
-		<div class="col-12">
-			<h2 class="text-center">{{_('Logout')}}</h2>
-		</div>
+<div class="col-12">
+	<h2 class="text-center">{{_('Logout')}}</h2>
+</div>

-		<div class="col-12">
-			<noscript>
-				<div class="alert alert-warning" role="alert">{{_('Javascript is required for automatic logout')}}</div>
-			</noscript>
-			<p>{{_('While you successfully logged out of the Single-Sign-On service, you may still be logged in on these services:')}}</p>
-			<ul>
-			{% for client in clients if client.logout_urls %}
-				<li class="client" data-urls='{{ client.logout_urls|tojson }}'>
-					{{ client.client_id }}
-					<span class="status-active spinner-border spinner-border-sm d-none" role="status" aria-hidden="true"></span>
-					<i class="status-success fas fa-check d-none"></i>
-					<i class="status-failed fas fa-exclamation d-none"></i>
-				</li>
-			{% endfor %}
-			</ul>
+<div class="col-12">
+	<noscript>
+		<div class="alert alert-warning" role="alert">{{_('Javascript is required for automatic logout')}}</div>
+	</noscript>
+	<p>{{_('While you successfully logged out of the Single-Sign-On service, you may still be logged in on these services:')}}</p>
+	<ul>
+	{% for client in clients if client.logout_uris %}
+		<li class="client" data-urls='{{ client.logout_uris_json }}'>
+			{{ client.service.name }}
+			<span class="status-active spinner-border spinner-border-sm d-none" role="status" aria-hidden="true"></span>
+			<i class="status-success fas fa-check d-none"></i>
+			<i class="status-failed fas fa-exclamation d-none"></i>
+		</li>
+	{% endfor %}
+	</ul>

-			<p>
-				{{_('Please wait until you have been automatically logged out of all services or make sure of this yourself.')}}
-			</p>
+	<p>
+		{{_('Please wait until you have been automatically logged out of all services or make sure of this yourself.')}}
+	</p>

-			<button id="retry-button" class="btn btn-block btn-primary d-none" disabled>
-				<span id="cont-text">{{_('Logging you out on all services ...')}}</span>
-			</button>
+	<button id="retry-button" class="btn btn-block btn-primary d-none" disabled>
+		<span id="cont-text">{{_('Logging you out on all services ...')}}</span>
+	</button>

-			<a href="{{ request.values.get('ref') or '/' }}" class="btn btn-block btn-secondary">
-				<span>{{_('Skip this and continue')}}</span>
-			</a>
+	<a href="{{ request.values.get('ref') or '/' }}" class="btn btn-block btn-secondary">
+		<span>{{_('Skip this and continue')}}</span>
+	</a>

-		</div>
-	</div>
 </div>

 <script>
@@ -60,7 +53,6 @@ function logout_services() {
 			});
 		});
 		p = p.then(function () {
-			console.log('done', elem);
 			elem.find('.status-active').addClass('d-none');
 			elem.find('.status-success').removeClass('d-none');
 			elem.removeClass('client');
@@ -68,13 +60,11 @@ function logout_services() {
 		.catch(function (err) {
 			elem.find('.status-active').addClass('d-none');
 			elem.find('.status-failed').removeClass('d-none');
-			console.log(err);
 			throw err;
 		});
 		all_promises.push(p);
 	});
 	Promise.allSettled(all_promises).then(function (results) {
-		console.log(results);
 		for (result of results) {
 			if (result.status == 'rejected')
 				throw result.reason;

--- a/uffd/role/templates/role/list.html
+++ b/uffd/role/templates/role/list.html
--- a/uffd/role/templates/role/show.html
+++ b/uffd/role/templates/role/show.html
@@ -7,9 +7,9 @@
 </div>
 {% endif %}

-<form action="{{ url_for("role.update", roleid=role.id) }}" method="POST">
+<form action="{{ url_for("role.update", roleid=role.id) }}" method="POST" autocomplete="off">
 <div class="align-self-center">
-	<div class="float-sm-right pb-2">
+	<div class="clearfix pb-2"><div class="float-sm-right">
 		<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{_("Save")}}</button>
 		<a href="{{ url_for("role.index") }}" class="btn btn-secondary">{{_("Cancel")}}</a>
 		{% if role.id %}
@@ -23,7 +23,7 @@
 			<a href="#" class="btn btn-secondary disabled">{{_("Set as default")}}</a>
 			<a href="#" class="btn btn-danger disabled"><i class="fa fa-trash" aria-hidden="true"></i> {{_("Delete")}}</a>
 		{% endif %}
-	</div>
+	</div></div>
 	<ul class="nav nav-tabs pt-2 border-0" id="tablist" role="tablist">
 		<li class="nav-item">
 			<a class="nav-link active" id="settings-tab" data-toggle="tab" href="#settings" role="tab" aria-controls="settings" aria-selected="true">{{_("Settings")}}</a>
@@ -55,7 +55,7 @@
 				<select class="form-control" id="moderator-group" name="moderator-group" {{ 'disabled' if role.locked }}>
 					<option value="" class="text-muted">{{_("No Moderator Group")}}</option>
 					{% for group in groups %}
-					<option value="{{ group.dn }}" {{ 'selected' if group == role.moderator_group }}>{{ group.name }}</option>
+					<option value="{{ group.id }}" {{ 'selected' if group == role.moderator_group }}>{{ group.name }}</option>
 					{% endfor %}
 				</select>
 			</div>
@@ -63,7 +63,7 @@
 				<span>{{_("Moderators")}}:</span>
 				<ul class="row">
 					{% for moderator in role.moderator_group.members %}
-					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", uid=moderator.uid) }}">{{ moderator.loginname }}</a></li>
+					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", id=moderator.id) }}">{{ moderator.loginname }}</a></li>
 					{% endfor %}
 				</ul>
 			</div>
@@ -71,7 +71,7 @@
 				<span>{{_("Members")}}:</span>
 				<ul class="row">
 				{% for member in role.members|sort(attribute='loginname') %}
-					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", uid=member.uid) }}">{{ member.loginname }}</a></li>
+					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", id=member.id) }}">{{ member.loginname }}</a></li>
 				{% endfor %}
 				</ul>
 			</div>
@@ -90,7 +90,7 @@
 					</thead>
 					<tbody>
 						{% for r in roles|sort(attribute="name")|sort(attribute='name') %}
-						<tr id="include-role-{{ role.id }}">
+						<tr id="include-role-{{ r.id }}">
 							<td>
 								<div class="form-check">
 									<input class="form-check-input" type="checkbox" id="include-role-{{ r.id }}-checkbox" name="include-role-{{ r.id }}" value="1" aria-label="enabled"
@@ -108,7 +108,7 @@
 							</td>
 							<td>
 								{% for group in r.groups_effective|sort(attribute='name') %}
-									<a href="{{ url_for("group.show", gid=group.gid) }}">{{ group.name }}</a>{{ ', ' if not loop.last }}
+									<a href="{{ url_for("group.show", id=group.id) }}">{{ group.name }}</a>{{ ', ' if not loop.last }}
 								{% endfor %}
 							</td>
 						</tr>
@@ -131,14 +131,14 @@
 					</thead>
 					<tbody>
 						{% for group in groups|sort(attribute="name") %}
-						<tr id="group-{{ group.gid }}">
+						<tr id="group-{{ group.id }}">
 							<td>
 								<div class="form-check">
-									<input class="form-check-input" type="checkbox" id="group-{{ group.gid }}-checkbox" name="group-{{ group.gid }}" value="1" aria-label="enabled" {% if group in role.groups %}checked{% endif %} {{ 'disabled' if role.locked }}>
+									<input class="form-check-input" type="checkbox" id="group-{{ group.id }}-checkbox" name="group-{{ group.id }}" value="1" aria-label="enabled" {% if group in role.groups %}checked{% endif %} {{ 'disabled' if role.locked }}>
 								</div>
 							</td>
 							<td>
-								<a href="{{ url_for("group.show", gid=group.gid) }}">
+								<a href="{{ url_for("group.show", id=group.id) }}">
 									{{ group.name }}
 								</a>
 							</td>
@@ -147,7 +147,7 @@
 							</td>
 							<td>
 								<div class="form-check">
-									<input class="form-check-input" type="checkbox" id="group-mfa-{{ group.gid }}-checkbox" name="group-mfa-{{ group.gid }}" value="1" aria-label="enabled" {% if group in role.groups and role.groups[group].requires_mfa %}checked{% endif %} {{ 'disabled' if role.locked }}>
+									<input class="form-check-input" type="checkbox" id="group-mfa-{{ group.id }}-checkbox" name="group-mfa-{{ group.id }}" value="1" aria-label="enabled" {% if group in role.groups and role.groups[group].requires_mfa %}checked{% endif %} {{ 'disabled' if role.locked }}>
 								</div>
 							</td>
 						</tr>

--- a/uffd/rolemod/templates/rolemod/list.html
+++ b/uffd/rolemod/templates/rolemod/list.html
--- a/uffd/rolemod/templates/rolemod/show.html
+++ b/uffd/rolemod/templates/rolemod/show.html
@@ -4,9 +4,7 @@

 <form method="POST" action="{{ url_for("rolemod.update", role_id=role.id) }}">
 	<div class="float-sm-right pb-2">
-		{% if config['ENABLE_INVITE'] %}
 		<a href="{{ url_for("invite.new", **{"role-%d"%role.id: 1}) }}" class="btn btn-primary mr-2"><i class="fa fa-link" aria-hidden="true"></i> {{_('Invite Members')}}</a>
-		{% endif %}
 		<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{_('Save')}}</button>
 		<a href="{{ url_for("rolemod.index") }}" class="btn btn-secondary">{{_('Cancel')}}</a>
 	</div>
@@ -52,7 +50,7 @@
 						<tr>
 							<td>{{ member.displayname }} ({{ member.loginname }})</td>
 							<td class="text-right">
-								<a class="btn btn-danger py-0" href="{{ url_for('rolemod.delete_member', role_id=role.id, member_dn=member.dn) }}">{{_('Remove')}}</a>
+								<a class="btn btn-danger py-0" href="{{ url_for('rolemod.delete_member', role_id=role.id, member_id=member.id) }}">{{_('Remove')}}</a>
 							</td>
 						</tr>
 						{% endfor %}

--- a/uffd/mfa/templates/mfa/disable.html
+++ b/uffd/mfa/templates/mfa/disable.html
@@ -7,7 +7,7 @@
 	You can later generate new recovery codes and setup your applications and devices again.")}}
 </p>

-<form class="form" action="{{ url_for('mfa.disable_confirm') }}" method="POST">
+<form class="form" action="{{ url_for('selfservice.disable_mfa_confirm') }}" method="POST">
 	<button type="submit" class="btn btn-danger btn-block">{{_("Disable two-factor authentication")}}</button>
 </form>


--- a/uffd/templates/selfservice/forgot_password.html
+++ b/uffd/templates/selfservice/forgot_password.html
+{% extends 'base_narrow.html' %}
+
+{% block body %}
+<form action="{{ url_for("selfservice.forgot_password") }}" method="POST">
+	<div class="col-12">
+		<h2 class="text-center">{{_("Forgot password")}}</h2>
+	</div>
+	<div class="form-group col-12">
+		<label for="user-loginname">{{_("Login Name")}}</label>
+		<input type="text" autocomplete="username" class="form-control" id="user-loginname" name="loginname" required="required" tabindex="1">
+	</div>
+	<div class="form-group col-12">
+		<label for="user-mail">{{_("Mail Address")}}</label>
+		<input type="email" autocomplete="email" class="form-control" id="user-mail" name="mail" required="required" tabindex="2">
+	</div>
+	<div class="form-group col-12">
+		<button type="submit" class="btn btn-primary btn-block" tabindex="3">{{_("Send password reset mail")}}</button>
+	</div>
+</form>
+{% endblock %}
--- a/uffd/selfservice/templates/selfservice/mailverification.mail.txt
+++ b/uffd/selfservice/templates/selfservice/mailverification.mail.txt
 Hi {{ user.displayname }},

 you have requested to change your mail address. To confirm the change, please visit the following url:
-{{ url_for('selfservice.token_mail', token=token, _external=True) }}
+{{ url_for('selfservice.verify_email', email_id=email.id, secret=secret, _external=True) }}

 **The link is valid for 48h**
--- a/uffd/selfservice/templates/selfservice/newuser.mail.txt
+++ b/uffd/selfservice/templates/selfservice/newuser.mail.txt
@@ -4,7 +4,7 @@ welcome to the {{ config.ORGANISATION_NAME }} infrastructure! An account was cre

 Please visit the following url to set your password:

-{{ url_for('selfservice.token_password', token=token, _external=True) }}
+{{ url_for('selfservice.token_password', token_id=token.id, token=token.token, _external=True) }}

 **The link is valid for 48h**


--- a/uffd/selfservice/templates/selfservice/passwordreset.mail.txt
+++ b/uffd/selfservice/templates/selfservice/passwordreset.mail.txt
 Hi {{ user.displayname }},

 you have requested a password reset. To reset your password, visit the following url:
-{{ url_for('selfservice.token_password', token=token, _external=True) }}
+{{ url_for('selfservice.token_password', token_id=token.id, token=token.token, _external=True) }}

 **The link is valid for 48h**


--- a/uffd/selfservice/templates/selfservice/self.html
+++ b/uffd/selfservice/templates/selfservice/self.html
@@ -9,36 +9,122 @@
 </div>
 {% endif %}

-<div class="row mt-3">
+<div class="row">
 	<div class="col-12 col-md-5">
 		<h5>{{_("Profile")}}</h5>
-		<p>{{_("Your profile information is used by all services that are integrated into the Single-Sign-On. Your e-mail address is also used for password recovery.")}}</p>
-		<p>{{_("Changes may take serveral minutes to be visible in all services.")}}</p>
+		<p>{{_("Your profile information is used by all services that are integrated into the Single-Sign-On.")}}</p>
+		<p>{{_("Changes may take several minutes to be visible in all services.")}}</p>
 	</div>
 	<div class="col-12 col-md-7">
 		<form class="form" action="{{ url_for("selfservice.update_profile") }}" method="POST">
-			<div class="form-row">
-				<div class="form-group col-12 col-md-9">
-					<label>{{_("Login Name")}}</label>
-					<input type="text" class="form-control" value="{{ user.loginname }}" readonly>
-				</div>
-				<div class="form-group col-12 col-md-3">
-					<label>{{_("User ID")}}</label>
-					<input type="text" class="form-control" value="{{ user.uid }}" readonly>
-				</div>
+			<div class="form-group">
+				<label>{{_("Login Name")}}</label>
+				<input type="text" class="form-control" value="{{ user.loginname }}" readonly>
 			</div>
 			<div class="form-group">
 				<label>{{_("Display Name")}}</label>
 				<input type="text" class="form-control" id="user-displayname" name="displayname" value="{{ user.displayname }}">
 			</div>
+			<button type="submit" class="btn btn-primary btn-block">{{_("Update Profile")}}</button>
+		</form>
+	</div>
+</div>
+
+<hr>
+
+<div class="row">
+	<div class="col-12 col-md-5">
+		<h5>{{_("E-Mail Addresses")}}</h5>
+		<p>{{_("Add and delete addresses associated with your account. You will need to verify new addresses by opening a link set to them.")}}</p>
+	</div>
+	<div class="col-12 col-md-7">
+    <form method="POST" action="{{ url_for('selfservice.add_email') }}" class="form mb-2">
+      <div class="row m-0">
+        <label class="sr-only" for="new-email-address">{{_("Email")}}</label>
+        <input type="email" autocomplete="email" class="form-control mb-2 col-12 col-lg-auto mr-2" style="width: 20em;" id="new-email-address" name="address" placeholder="{{_("New E-Mail Address")}}" required>
+        <button type="submit" class="btn btn-primary mb-2 col">{{_("Add address")}}</button>
+      </div>
+    </form>
+		<table class="table mb-0">
+			<tbody>
+				{% for email in user.all_emails|sort(attribute='id') %}
+				<tr>
+					<td class="pl-0">
+						{{ email.address }}
+						{% if email == user.primary_email %}
+						<span class="badge badge-primary">{{ _('primary') }}</span>
+						{% elif not email.verified  %}
+						<span class="badge badge-danger">{{ _('unverified') }}</span>
+						{% endif %}
+					</td>
+					<td class="pt-2 pb-1 pr-0">
+						<form method="POST" action="{{ url_for('selfservice.delete_email', email_id=email.id) }}" onsubmit='return confirm({{_("Are you sure?")|tojson|e}});'>
+							<button type="submit" class="btn btn-sm btn-danger float-right ml-1 mb-1"{% if email == user.primary_email %} disabled title="{{ _('Cannot delete primary e-mail address') }}"{% endif %}>{{_("Delete")}}</button>
+						</form>
+						{% if not email.verified  %}
+						<a href="{{ url_for('selfservice.retry_email_verification', email_id=email.id) }}" class="btn btn-sm btn-primary float-right mb-1">{{_("Retry verification")}}</a>
+						{% endif %}
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+	</div>
+</div>
+
+<hr>
+
+{% set service_users_with_email_prefs = user.service_users|selectattr('has_email_preferences')|list %}
+{% set collapse_email_prefs = service_users_with_email_prefs|length > 2 %}
+<div class="row">
+	<div class="col-12 col-md-5">
+		<h5>{{_("E-Mail Preferences")}}</h5>
+		<p>
+			{{ _("Choose your primary e-mail address and the address password recovery e-mails will be sent to.") }}
+			{% if service_users_with_email_prefs %}
+			{{ _("You can also select different addresses for different services.") }}
+			{% endif %}
+		</p>
+		<p>{{ _("Adresses must be verified before you can select them here.") }}</p>
+	</div>
+	<div class="col-12 col-md-7">
+		<form class="form" action="{{ url_for("selfservice.update_email_preferences") }}" method="POST">
+			<div class="form-group">
+				<label>{{_("Primary Address")}}</label>
+				<select name="primary_email" class="form-control">
+					{% for email in user.all_emails if email.verified %}
+					<option value="{{ email.id }}" {{ 'selected' if email == user.primary_email }}>{{ email.address }}</option>
+					{% endfor %}
+				</select>
+			</div>
 			<div class="form-group">
-				<label>{{_("E-Mail Address")}}</label>
-				<input type="email" class="form-control" id="user-mail" name="mail" value="{{ user.mail }}" required>
-				<small class="form-text text-muted">
-					{{_("We will send you a confirmation mail to this address if you change it")}}
-				</small>
+				<label>{{_("Address for Password Reset E-Mails")}}</label>
+				<select name="recovery_email" class="form-control">
+					<option value="primary" {{ 'selected' if not user.recovery_email }}>{{ _('Use primary address') }}</option>
+					{% for email in user.all_emails if email.verified %}
+					<option value="{{ email.id }}" {{ 'selected' if email == user.recovery_email }}>{{ email.address }}</option>
+					{% endfor %}
+				</select>
 			</div>
-			<button type="submit" class="btn btn-primary btn-block">{{_("Update Profile")}}</button>
+			{% for service_user in service_users_with_email_prefs %}
+			{% if collapse_email_prefs and loop.index == 2 %}
+			<div id="collapsed-email-prefs">
+			{% endif %}
+			<div class="form-group">
+				<label>{{ _('Address for Service "%(name)s"', name=service_user.service.name) }}</label>
+				<select name="service_{{ service_user.service.id }}_email" class="form-control">
+					<option value="primary" {{ 'selected' if not service_user.service_email }}>{{ _('Use primary address') }}</option>
+					{% for email in user.all_emails if email.verified %}
+					<option value="{{ email.id }}" {{ 'selected' if email == service_user.service_email }}>{{ email.address }}</option>
+					{% endfor %}
+				</select>
+			</div>
+			{% endfor %}
+			{% if collapse_email_prefs %}
+			</div>
+			<button type="button" class="btn btn-sm btn-link pl-0 mb-1 showmore" data-target="#collapsed-email-prefs" style="display: none;" aria-expanded="false" aria-controls="collapsed-email-prefs">{{ _("Show more settings ...") }}</button>
+			{% endif %}
+			<button type="submit" class="btn btn-primary btn-block">{{_("Update E-Mail Preferences")}}</button>
 		</form>
 	</div>
 </div>
@@ -53,13 +139,13 @@
 	<div class="col-12 col-md-7">
 		<form class="form" action="{{ url_for("selfservice.change_password") }}" method="POST">
 			<div class="form-group">
-				<input type="password" class="form-control" id="user-password1" name="password1" placeholder="{{_("New Password")}}" required>
+				<input type="password" autocomplete="new-password" class="form-control" id="user-password1" name="password1" placeholder="{{_("New Password")}}" minlength={{ User.PASSWORD_MINLEN }} maxlength={{ User.PASSWORD_MAXLEN }} pattern="{{ User.PASSWORD_REGEX }}" required>
 				<small class="form-text text-muted">
-					{{_('At least 8 and at most 256 characters, no other special requirements.')}}
+					{{ User.PASSWORD_DESCRIPTION|safe }}
 				</small>
 			</div>
 			<div class="form-group">
-				<input type="password" class="form-control" id="user-password2" name="password2" placeholder="{{_("Repeat Password")}}" required>
+				<input type="password" autocomplete="new-password" class="form-control" id="user-password2" name="password2" placeholder="{{_("Repeat Password")}}" required>
 			</div>
 			<button type="submit" class="btn btn-primary btn-block">{{_("Change Password")}}</button>
 		</form>
@@ -81,7 +167,56 @@
 			{{ _("Two-factor authentication is currently <strong>disabled</strong>.")|safe }}
 			{% endif %}
 		</p>
-		<a class="btn btn-primary btn-block" href="{{ url_for('mfa.setup') }}">{{_("Manage two-factor authentication")}}</a>
+		<a class="btn btn-primary btn-block" href="{{ url_for('selfservice.setup_mfa') }}">{{_("Manage two-factor authentication")}}</a>
+	</div>
+</div>
+
+<hr>
+
+<div class="row mt-3">
+	<div class="col-12 col-md-5">
+		<h5>{{_("Active Sessions")}}</h5>
+		<p>{{_("Your active login sessions on this device and other devices.")}}</p>
+		<p>{{_("Revoke a session to log yourself out on another device. Note that this is limited to the Single-Sign-On session and <b>does not affect login sessions on services.</b>")}}</p>
+	</div>
+	<div class="col-12 col-md-7">
+		<table class="table">
+			<thead>
+				<tr>
+					<th scope="col">{{_("Last used")}}</th>
+					<th scope="col">{{_("Device")}}</th>
+					<th scope="col"></th>
+				</tr>
+			</thead>
+			<tbody>
+				<tr>
+					<td>{{_("Just now")}}</td>
+					<td>{{ request.session.user_agent_browser }} on {{ request.session.user_agent_platform }} ({{ request.session.ip_address }})</td>
+					<td></td>
+				</tr>
+				{% for session in user.sessions|sort(attribute='last_used', reverse=True) if not session.expired and session != request.session %}
+				<tr>
+					<td>
+						{% set last_used_rel = session.last_used - datetime.utcnow() %}
+						{% if -last_used_rel.total_seconds() <= 60 %}
+						{{_("Just now")}}
+						{% else %}
+						{{ last_used_rel|timedeltaformat(add_direction=True, granularity='minute') }}
+						{% endif %}
+					</td>
+					<td>{{ session.user_agent_browser }} on {{ session.user_agent_platform }} ({{ session.ip_address }})</td>
+					<td>
+						{% if session != request.session %}
+						<form action="{{ url_for("selfservice.revoke_session", session_id=session.id) }}" method="POST" onsubmit='return confirm({{_("Are you sure?")|tojson|e}});'>
+							<button type="submit" class="btn btn-sm btn-danger float-right">{{_("Revoke")}}</button>
+						</form>
+						{% endif %}
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+
 	</div>
 </div>

@@ -92,15 +227,12 @@
 		<h5>{{_("Roles")}}</h5>
 		<p>{{_("Aside from a set of base permissions, your roles determine the permissions of your account.")}}</p>
 		{% if config['SERVICES'] %}
-		<p>{{_("See <a href=\"%(services_url)s\">Services</a> for an overview of your current permissions.", services_url=url_for('services.index'))}}</p>
+		<p>{{_("See <a href=\"%(services_url)s\">Services</a> for an overview of your current permissions.", services_url=url_for('service.overview'))}}</p>
 		{% endif %}
 	</div>
 	<div class="col-12 col-md-7">
-		{% if config['ENABLE_INVITE'] %}
 		<p>{{_("Administrators and role moderators can invite you to new roles.")}}</p>
-		{% else %}
-		<p>{{_("Administrators can add new roles to your account.")}}</p>
-		{% endif %}
+
 		<table class="table">
 			<thead>
 				<tr>
@@ -119,11 +251,9 @@
 					</td>
 					<td>{{ role.description }}</td>
 					<td>
-						{% if config['ENABLE_ROLESELFSERVICE'] %}
 						<form action="{{ url_for("selfservice.leave_role", roleid=role.id) }}" method="POST" onsubmit='return confirm({{_("Are you sure?")|tojson|e}});'>
 							<button type="submit" class="btn btn-sm btn-danger float-right">{{_("Leave")}}</button>
 						</form>
-						{% endif %}
 					</td>
 				</tr>
 				{% endfor %}
@@ -134,7 +264,20 @@
 				{% endif %}
 			</tbody>
 		</table>
+
 	</div>
 </div>

+<script>
+$(".showmore").each(function () {
+	$(this).show()
+	$($(this).data("target")).hide()
+})
+$(".showmore").on("click", function () {
+	$(this).slideUp(200)
+	$(this).prop("ariaExpanded", true)
+	$($(this).data("target")).slideDown()
+})
+</script>
+
 {% endblock %}
--- a/uffd/templates/selfservice/set_password.html
+++ b/uffd/templates/selfservice/set_password.html
+{% extends 'base_narrow.html' %}
+
+{% block body %}
+<form action="{{ url_for("selfservice.token_password", token_id=token.id, token=token.token) }}" method="POST" onInput="password2.setCustomValidity(password1.value != password2.value ? 'Passwords do not match.' : '') ">
+	<div class="col-12">
+		<h2 class="text-center">{{_("Reset password")}}</h2>
+	</div>
+	<div class="form-group col-12">
+		<label for="user-password1">{{_("New Password")}}</label>
+		<input type="password" autocomplete="new-password" class="form-control" id="user-password1" name="password1" tabindex="2" minlength={{ User.PASSWORD_MINLEN }} maxlength={{ User.PASSWORD_MAXLEN }} pattern="{{ User.PASSWORD_REGEX }}" required>
+		<small class="form-text text-muted">
+			{{ User.PASSWORD_DESCRIPTION|safe }}
+		</small>
+	</div>
+	<div class="form-group col-12">
+		<label for="user-password2">{{_("Repeat Password")}}</label>
+		<input type="password" autocomplete="new-password" class="form-control" id="user-password2" name="password2" tabindex="3" required>
+	</div>
+	<div class="form-group col-12">
+		<button type="submit" class="btn btn-primary btn-block" tabindex="3">{{_("Set password")}}</button>
+	</div>
+</form>
+{% endblock %}
--- a/uffd/mfa/templates/mfa/setup.html
+++ b/uffd/mfa/templates/mfa/setup.html
@@ -28,11 +28,11 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 {% if mfa_setup or mfa_enabled %}
 <div class="clearfix">
 	{% if mfa_enabled %}
-	<form class="form float-right" action="{{ url_for('mfa.disable') }}">
+	<form class="form float-right" action="{{ url_for('selfservice.disable_mfa') }}">
 		<button type="submit" class="btn btn-danger mb-2">{{_("Disable two-factor authentication")}}</button>
 	</form>
 	{% else %}
-	<form class="form float-right" action="{{ url_for('mfa.disable_confirm') }}" method="POST">
+	<form class="form float-right" action="{{ url_for('selfservice.disable_mfa_confirm') }}" method="POST">
 		<button type="submit" class="btn btn-light mb-2">{{_("Reset two-factor configuration")}}</button>
 	</form>
 	{% endif %}
@@ -56,7 +56,7 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 	</div>

 	<div class="col-12 col-md-7">
-		<form class="form" action="{{ url_for('mfa.setup_recovery') }}" method="POST">
+		<form class="form" action="{{ url_for('selfservice.setup_mfa_recovery') }}" method="POST">
 			{% if mfa_init %}
 			<button type="submit" class="btn btn-primary mb-2 col">
 				{{_("Generate recovery codes to enable two-factor authentication")}}
@@ -93,7 +93,7 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 	</div>

 	<div class="col-12 col-md-7">
-		<form class="form mb-2" action="{{ url_for('mfa.setup_totp') }}">
+		<form class="form mb-2" action="{{ url_for('selfservice.setup_mfa_totp') }}" autocomplete="off">
 			<div class="row m-0">
 				<label class="sr-only" for="totp-name">{{_("Name")}}</label>
 				<input type="text" name="name" class="form-control mb-2 col-12 col-lg-auto mr-2" style="width: 15em;" id="totp-name" placeholder="{{_("Name")}}" required {{ 'disabled' if mfa_init }}>
@@ -113,8 +113,8 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 				{% for method in request.user.mfa_totp_methods %}
 				<tr>
 					<td>{{ method.name }}</td>
-					<td>{{ method.created.strftime('%b %d, %Y') }}</td>
-					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('mfa.delete_totp', id=method.id) }}">{{_("Delete")}}</a></td>
+					<td>{{ method.created|dateformat }}</td>
+					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('selfservice.delete_mfa_totp', id=method.id) }}">{{_("Delete")}}</a></td>
 				</tr>
 				{% endfor %}
 				{% if not request.user.mfa_totp_methods %}
@@ -152,7 +152,7 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 			</div>
 		</noscript>
 		<div id="webauthn-alert" class="alert alert-warning d-none" role="alert"></div>
-		<form id="webauthn-form" class="form mb-2">
+		<form id="webauthn-form" autocomplete="off" class="form mb-2">
 			<div class="row m-0">
 				<label class="sr-only" for="webauthn-name">{{_("Name")}}</label>
 				<input type="text" class="form-control mb-2 col-12 col-lg-auto mr-2" style="width: 15em;" id="webauthn-name" placeholder="{{_("Name")}}" required disabled>
@@ -175,8 +175,8 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 				{% for method in request.user.mfa_webauthn_methods %}
 				<tr>
 					<td>{{ method.name }}</td>
-					<td>{{ method.created.strftime('%b %d, %Y') }}</td>
-					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('mfa.delete_webauthn', id=method.id) }}">{{_("Delete")}}</a></td>
+					<td>{{ method.created|dateformat }}</td>
+					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('selfservice.delete_mfa_webauthn', id=method.id) }}">{{_("Delete")}}</a></td>
 				</tr>
 				{% endfor %}
 				{% if not request.user.mfa_webauthn_methods %}
@@ -196,21 +196,21 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 $('#webauthn-form').on('submit', function(e) {
 	$('#webauthn-alert').addClass('d-none');
 	$('#webauthn-spinner').removeClass('d-none');
-	$('#webauthn-btn-text').text('Contacting server');
+	$('#webauthn-btn-text').text({{ _('Contacting server')|tojson }});
 	$('#webauthn-btn').prop('disabled', true);
-	fetch({{ url_for('mfa.setup_webauthn_begin')|tojson }}, {
+	fetch({{ url_for('selfservice.setup_mfa_webauthn_begin')|tojson }}, {
 		method: 'POST',
 	}).then(function(response) {
 		if (response.ok)
 			return response.arrayBuffer();
 		if (response.status == 403)
-			throw new Error('You need to generate recovery codes first');
-		throw new Error('Server error');
+			throw new Error({{ _('You need to generate recovery codes first')|tojson }});
+		throw new Error({{ _('Server error')|tojson }});
 	}).then(CBOR.decode).then(function(options) {
-		$('#webauthn-btn-text').text('Waiting for response from your device');
+		$('#webauthn-btn-text').text({{ _('Waiting for device')|tojson }});
 		return navigator.credentials.create(options);
 	}).then(function(attestation) {
-		return fetch({{ url_for('mfa.setup_webauthn_complete')|tojson }}, {
+		return fetch({{ url_for('selfservice.setup_mfa_webauthn_complete')|tojson }}, {
 			method: 'POST',
 			headers: {'Content-Type': 'application/cbor'},
 			body: CBOR.encode({
@@ -222,34 +222,34 @@ $('#webauthn-form').on('submit', function(e) {
 	}).then(function(response) {
 		if (response.ok) {
 			$('#webauthn-spinner').addClass('d-none');
-			$('#webauthn-btn-text').text('Success');
-			window.location = {{ url_for('mfa.setup')|tojson }};
+			$('#webauthn-btn-text').text({{ _('Success')|tojson }});
+			window.location = {{ url_for('selfservice.setup_mfa')|tojson }};
 		} else {
-			throw new Error('Response from authenticator rejected');
+			throw new Error({{ _('Invalid response from device')|tojson }});
 		}
 	}, function(err) {
 		console.log(err);
 		/* various webauthn errors */
 		if (err.name == 'NotAllowedError')
-			$('#webauthn-alert').text('Registration timed out, was aborted or not allowed');
+			$('#webauthn-alert').text({{ _('Registration timed out, was aborted or not allowed')|tojson }});
 		else if (err.name == 'InvalidStateError')
-			$('#webauthn-alert').text('You attempted to register a device that is already registered');
+			$('#webauthn-alert').text({{ _('Device already registered')|tojson }});
 		else if (err.name == 'AbortError')
-			$('#webauthn-alert').text('Registration was aborted');
+			$('#webauthn-alert').text({{ _('Registration was aborted')|tojson }});
 		else if (err.name == 'NotSupportedError')
-			$('#webauthn-alert').text('U2F and FIDO2 devices are not supported by your browser');
+			$('#webauthn-alert').text({{ _('U2F and FIDO2 devices are not supported by your browser')|tojson }});
 		/* errors from fetch() */
 		else if (err.name == 'TypeError')
-			$('#webauthn-alert').text('Could not connect to server');
+			$('#webauthn-alert').text({{ _('Could not connect to server')|tojson }});
 		/* our own errors */
 		else if (err.name == 'Error')
 			$('#webauthn-alert').text(err.message);
 		/* fallback */
 		else
-			$('#webauthn-alert').text('Registration failed ('+err+')');
+			$('#webauthn-alert').text({{ _('Registration failed')|tojson }}+' ('+err+')');
 		$('#webauthn-alert').removeClass('d-none');
 		$('#webauthn-spinner').addClass('d-none');
-		$('#webauthn-btn-text').text('Retry registration');
+		$('#webauthn-btn-text').text({{ _('Retry registration')|tojson }});
 		$('#webauthn-btn').prop('disabled', false);
 	});
 	return false;
@@ -261,7 +261,7 @@ if (typeof(PublicKeyCredential) != "undefined") {
 	$('#webauthn-name').prop('disabled', false);
 	{% endif %}
 } else {
-	$('#webauthn-alert').text('U2F and FIDO2 devices are not supported by your browser');
+	$('#webauthn-alert').text({{ _('U2F and FIDO2 devices are not supported by your browser')|tojson }});
 	$('#webauthn-alert').removeClass('d-none');
 }


--- a/uffd/mfa/templates/mfa/setup_recovery.html
+++ b/uffd/mfa/templates/mfa/setup_recovery.html
@@ -12,7 +12,7 @@
 <div class="text-monospace">
 	<ul>
 	{% for method in methods %}
-		<li>{{ method.code }}</li>
+		<li>{{ method.code_value }}</li>
 	{% endfor %}
 	</ul>
 </div>
@@ -23,8 +23,8 @@
 </p>

 <div class="btn-toolbar">
-	<a class="ml-auto mb-2 btn btn-primary d-print-none" href="{{ url_for('mfa.setup') }}">Continue</a>
-	<a class="ml-2 mb-2 btn btn-light d-print-none" href="{{ methods|map(attribute='code')|join('\n')|datauri }}" download="uffd-recovery-codes">
+	<a class="ml-auto mb-2 btn btn-primary d-print-none" href="{{ url_for('selfservice.setup_mfa') }}">{{_("Continue")}}</a>
+	<a class="ml-2 mb-2 btn btn-light d-print-none" href="{{ methods|map(attribute='code_value')|join('\n')|datauri }}" download="uffd-recovery-codes">
 		{{_("Download codes")}}
 	</a>
 	<button class="ml-2 mb-2 btn btn-light d-print-none" type="button" onClick="window.print()">{{_("Print codes")}}</button>

--- a/uffd/mfa/templates/mfa/setup_totp.html
+++ b/uffd/mfa/templates/mfa/setup_totp.html
@@ -32,9 +32,9 @@
 	</div>
 </div>

-<form action="{{ url_for('mfa.setup_totp_finish', name=name) }}" method="POST" class="form">
+<form action="{{ url_for('selfservice.setup_mfa_totp_finish', name=name) }}" method="POST" autocomplete="off" class="form">
 	<div class="row m-0">
-		<input type="text" name="code" class="form-control mb-2 mr-2 col-auto col-md" id="code" placeholder="Code" required autofocus>
+		<input type="text" name="code" class="form-control mb-2 mr-2 col-auto col-md" id="code" placeholder="{{_('Code')}}" required autofocus>
 		<button type="submit" class="btn btn-primary mb-2 col col-md-auto">{{_("Verify and complete setup")}}</button>
 	</div>
 </form>

--- a/uffd/templates/service/api.html
+++ b/uffd/templates/service/api.html
+{% extends 'base.html' %}
+
+{% block body %}
+<div class="row">
+	<form action="{{ url_for('service.api_submit', service_id=service.id, id=client.id) }}" method="POST" autocomplete="off" class="form col-12 px-0">
+
+		<div class="form-group col">
+			<p class="text-right">
+				<a href="{{ url_for('service.show', id=service.id) }}" class="btn btn-secondary">{{ _('Cancel') }}</a>
+				{% if client.id %}
+				<a class="btn btn-danger" href="{{ url_for('service.api_delete', service_id=service.id, id=client.id) }}" onClick='return confirm({{_("Are you sure?")|tojson}});'>
+					<i class="fa fa-trash" aria-hidden="true"></i> {{_('Delete')}}
+				</a>
+				{% endif %}
+				<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{ _('Save') }}</button>
+			</p>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-auth-username">{{ _('Authentication Username') }}</label>
+			<input type="text" class="form-control" id="client-auth-username" name="auth_username" value="{{ client.auth_username or '' }}" required>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-auth-password">{{ _('Authentication Password') }}</label>
+			{% if client.id %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-auth-password" name="auth_password" placeholder="●●●●●●●●">
+			{% else %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-auth-password" name="auth_password" required>
+			{% endif %}
+		</div>
+
+		<div class="form-group col">
+			<h6>{{ _('Permissions') }}</h6>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-users" name="perm_users" value="1" aria-label="enabled" {{ 'checked' if client.perm_users }}>
+				<label class="form-check-label" for="client-perm-users"><b>users</b>: {{_('Access user and group data')}}</label>
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-checkpassword" name="perm_checkpassword" value="1" aria-label="enabled" {{ 'checked' if client.perm_checkpassword }}>
+				<label class="form-check-label" for="client-perm-checkpassword"><b>checkpassword</b>: {{_('Verify user passwords')}}</label>
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-mail-aliases" name="perm_mail_aliases" value="1" aria-label="enabled" {{ 'checked' if client.perm_mail_aliases }}>
+				<label class="form-check-label" for="client-perm-mail-aliases"><b>mail_aliases</b>: {{_('Access mail aliases')}}</label>
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-remailer" name="perm_remailer" value="1" aria-label="enabled" {{ 'checked' if client.perm_remailer }}>
+				<label class="form-check-label" for="client-perm-remailer"><b>remailer</b>: {{_('Resolve remailer addresses')}}</label>
+				{% if not remailer.configured %}
+				<i class="fas fa-exclamation-triangle text-warning" data-toggle="tooltip" data-placement="top" title="{{ _('This option has no effect: Remailer config options are unset') }}"></i>
+				{% endif %}
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-metrics" name="perm_metrics" value="1" aria-label="enabled" {{ 'checked' if client.perm_metrics }}>
+				<label class="form-check-label" for="client-perm-metrics"><b>metrics</b>: {{_('Access uffd metrics')}}</label>
+			</div>
+		</div>
+
+	</form>
+</div>
+
+<script>
+$(function () {
+  $('[data-toggle="tooltip"]').tooltip()
+})
+</script>
+{% endblock %}
--- a/uffd/templates/service/index.html
+++ b/uffd/templates/service/index.html
+{% extends 'base.html' %}
+
+{% block body %}
+<div class="row">
+	<div class="col">
+		<p class="text-right">
+			<a class="btn btn-primary" href="{{ url_for('service.show') }}">
+				<i class="fa fa-plus" aria-hidden="true"></i> {{_("New")}}
+			</a>
+		</p>
+		<table class="table table-striped table-sm">
+			<thead>
+				<tr>
+					<th scope="col">{{ _('Name') }}</th>
+				</tr>
+			</thead>
+			<tbody>
+				{% for service in services|sort(attribute="name") %}
+				<tr>
+					<td>
+						<a href="{{ url_for("service.show", id=service.id) }}">
+							{{ service.name }}
+						</a>
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+	</div>
+</div>
+{% endblock %}
--- a/uffd/templates/service/oauth2.html
+++ b/uffd/templates/service/oauth2.html
+{% extends 'base.html' %}
+
+{% block body %}
+<div class="row">
+	<form action="{{ url_for('service.oauth2_submit', service_id=service.id, db_id=client.db_id) }}" method="POST" autocomplete="off" class="form col-12 px-0">
+
+		<div class="form-group col">
+			<p class="text-right">
+				<a href="{{ url_for('service.show', id=service.id) }}" class="btn btn-secondary">{{ _('Cancel') }}</a>
+				{% if client.db_id %}
+				<a class="btn btn-danger" href="{{ url_for('service.oauth2_delete', service_id=service.id, db_id=client.db_id) }}" onClick='return confirm({{_("Are you sure?")|tojson}});'>
+					<i class="fa fa-trash" aria-hidden="true"></i> {{_('Delete')}}
+				</a>
+				{% endif %}
+				<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{ _('Save') }}</button>
+			</p>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-client-id">{{ _('Client ID') }}</label>
+			<input type="text" class="form-control" id="client-client-id" name="client_id" value="{{ client.client_id or '' }}" required>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-client-secret">{{ _('Client Secret') }}</label>
+			{% if client.db_id %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-client-secret" name="client_secret" placeholder="●●●●●●●●">
+			{% else %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-client-secret" name="client_secret" required>
+			{% endif %}
+		</div>
+
+		<div class="form-group col">
+			<label for="client-redirect-uris">{{ _('Redirect URIs') }}</label>
+			<textarea rows="3" class="form-control" id="client-redirect-uris" name="redirect_uris">{{ client.redirect_uris|join('\n') }}</textarea>
+			<small class="form-text text-muted">
+				{{ _('One URI per line') }}
+			</small>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-logout-uris">{{ _('Logout URIs') }}</label>
+			<textarea rows="3" class="form-control" id="client-logout-uris" name="logout_uris" placeholder="GET https://example.com/logout">
+{%- for logout_uri in client.logout_uris %}
+{{ logout_uri.method }} {{ logout_uri.uri }}{{ '\n' if not loop.last }}
+{%- endfor %}
+</textarea>
+			<small class="form-text text-muted">
+				{{ _('One URI per line, prefixed with space-separated method (GET/POST)') }}
+			</small>
+		</div>
+
+	</form>
+</div>
+{% endblock %}
--- a/uffd/services/templates/services/overview.html
+++ b/uffd/services/templates/services/overview.html
@@ -4,8 +4,19 @@

 {% set iconstyle = 'style="width: 1.8em;"'|safe %}

-{% if not user %}
-<div class="alert alert-warning" role="alert">{{_("Some services may not be publicly listed! Log in to see all services you have access to.")}}</div>
+{% if not request.user %}
+<div class="alert alert-warning" role="alert">
+    <div class="row">
+        <div class="col-12 col-md-9 col-lg-10 col-xl-10">
+            {{ _("Some services may not be publicly listed! Log in to see all services you have access to.") }}
+        </div>
+        <div class="col-12 col-md-3 col-lg-2 col-xl-2 text-center text-md-right text-lg-right text-xl-right">
+            <a class="btn btn-primary" href="{{ url_for("session.login", ref=request.full_path) }}">
+                <i class="fa fa-sign-in-alt" aria-hidden="true"></i> {{ _("Login") }}
+            </a>
+        </div>
+    </div>
+</div>
 {% endif %}

 {% if banner %}
@@ -22,7 +33,7 @@
      <div class="card-body">
 				{% if service.logo_url %}
 					{% if service.url and service.has_access %}<a href="{{ service.url }}" class="text-reset">{% endif %}
-						<img alt="Logo for {{ service.title }}" src="{{ service.logo_url }}" style="width: 100%; height: 10em; object-fit: contain; {{ 'filter: grayscale(100%);' if not service.has_access }}">
+						<img alt="{{ _("Logo for %(service_title)s", service_title=service.title) }}" src="{{ service.logo_url }}" style="width: 100%; height: 10em; object-fit: contain; {{ 'filter: grayscale(100%);' if not service.has_access }}">
 					{% if service.url and service.has_access %}</a>{% endif %}
 				{% endif %}
        <h5 class="card-title">
@@ -59,6 +70,12 @@
  </div>
 {% endmacro %}

+{% if request.user and request.user.is_in_group(config['ACL_ADMIN_GROUP']) %}
+<div class="text-right mt-2">
+	<a href="{{ url_for('service.index') }}" class="btn btn-primary">{{ _('Manage OAuth2 and API clients') }}</a>
+</div>
+{% endif %}
+
 <div class="row row-cols-1 row-cols-md-2 row-cols-lg-3 row-cols-xl-4 mt-2">
 	{% for service in services if service.has_access %}
 		{{ service_card(service) }}

--- a/uffd/templates/service/show.html
+++ b/uffd/templates/service/show.html
+{% extends 'base.html' %}
+
+{% block body %}
+
+<div class="row">
+
+	<form action="{{ url_for('service.edit_submit', id=service.id) }}" method="POST" autocomplete="off" class="form col-12 px-0">
+		<div class="form-group col">
+			<p class="text-right">
+				<a href="{{ url_for('service.index') }}" class="btn btn-secondary">{{ _('Cancel') }}</a>
+				{% if service.id %}
+				<a class="btn btn-danger" href="{{ url_for('service.delete', id=service.id) }}" onClick='return confirm({{_("Are you sure?")|tojson}});'>
+					<i class="fa fa-trash" aria-hidden="true"></i> {{_('Delete')}}
+				</a>
+				{% endif %}
+				<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{ _('Save') }}</button>
+			</p>
+		</div>
+		<div class="form-group col">
+			<label for="service-name">{{ _('Name') }}</label>
+			<input type="text" class="form-control" id="service-name" name="name" value="{{ service.name or '' }}" required>
+		</div>
+		<div class="form-group col">
+			<label for="access-group">{{ _('Access Restriction') }}</label>
+			<select class="form-control" id="access-group" name="access-group">
+				<option value="" class="text-muted">{{ _('No user has access') }}</option>
+				<option value="all" class="text-muted" {{ 'selected' if not service.limit_access }}>{{ _('All users have access (legacy)') }}</option>
+				{% for group in all_groups %}
+				<option value="{{ group.id }}" {{ 'selected' if group == service.access_group and service.limit_access }}>{{ _('Members of group "%(group_name)s" have access', group_name=group.name) }}</option>
+				{% endfor %}
+			</select>
+		</div>
+
+		<div class="form-group col">
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="hide-deactivated-users" name="hide_deactivated_users" value="1" aria-label="enabled" {{ 'checked' if service.hide_deactivated_users }}>
+				<label class="form-check-label" for="hide-deactivated-users">{{ _('Hide deactivated users from service') }}</label>
+			</div>
+		</div>
+
+		<div class="form-group col">
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="service-enable-email-preferences" name="enable_email_preferences" value="1" aria-label="enabled" {{ 'checked' if service.enable_email_preferences }}>
+				<label class="form-check-label" for="service-enable-email-preferences">{{ _('Allow users with access to select a different e-mail address for this service') }}</label>
+			<small class="form-text text-muted">
+				{{ _('If disabled, the service always uses the primary e-mail address.') }}
+			</small>
+			</div>
+		</div>
+
+		<div class="form-group col">
+			<label for="remailer-mode">
+				{{ _('Hide e-mail addresses with remailer') }}
+				{% if not remailer.configured %}
+				<i class="fas fa-exclamation-triangle text-warning" data-toggle="tooltip" data-placement="top" title="{{ _('This option has no effect: Remailer config options are unset') }}"></i>
+				{% endif %}
+			</label>
+			<select class="form-control" id="remailer-mode" name="remailer-mode">
+				<option value="{{ RemailerMode.DISABLED.name }}" {{ 'selected' if service.remailer_mode == RemailerMode.DISABLED }}>
+					{{ _('Remailer disabled') }}
+				</option>
+				<option value="{{ RemailerMode.ENABLED_V2.name }}" {{ 'selected' if service.remailer_mode == RemailerMode.ENABLED_V2 }}>
+					{{ _('Remailer enabled') }}
+				</option>
+				<option value="{{ RemailerMode.ENABLED_V1.name }}" {{ 'selected' if service.remailer_mode == RemailerMode.ENABLED_V1 }}>
+					{{ _('Remailer enabled (deprecated, case-sensitive format)') }}
+				</option>
+			</select>
+			<small class="form-text text-muted">
+				{{ _('Some services notify users about changes to their e-mail address. Modifying this setting immediatly affects the e-mail addresses of all users and can cause masses of notification e-mails.') }}
+			</small>
+		</div>
+
+		<div class="form-group col">
+			<p class="mb-2">
+				{{ _('Overwrite remailer setting for specific users') }}
+			</p>
+			<div class="input-group" id="remailer-mode-overwrite">
+				<input class="form-control" name="remailer-overwrite-users" placeholder="{{ _('Login names') }}" value="{{ remailer_overwrites|map(attribute='user')|map(attribute='loginname')|sort|join(', ') }}">
+				<select class="form-control" name="remailer-overwrite-mode">
+					{% set remailer_overwrite_mode = remailer_overwrites|map(attribute='remailer_overwrite_mode')|first or RemailerMode.ENABLED_V2 %}
+					<option value="{{ RemailerMode.DISABLED.name }}" {{ 'selected' if remailer_overwrite_mode == RemailerMode.DISABLED }}>
+						{{ _('Remailer disabled') }}
+					</option>
+					<option value="{{ RemailerMode.ENABLED_V2.name }}" {{ 'selected' if remailer_overwrite_mode == RemailerMode.ENABLED_V2 }}>
+						{{ _('Remailer enabled') }}
+					</option>
+					<option value="{{ RemailerMode.ENABLED_V1.name }}" {{ 'selected' if remailer_overwrite_mode == RemailerMode.ENABLED_V1 }}>
+						{{ _('Remailer enabled (deprecated, case-sensitive format)') }}
+					</option>
+				</select>
+			</div>
+			<small class="form-text text-muted">
+				{{ _('Useful for testing remailer before enabling it for all users. Specify users as a comma-seperated list of login names.') }}
+			</small>
+		</div>
+
+	</form>
+
+	{% if service.id %}
+	<div class="col-12">
+		<hr>
+		<h5>OAuth2 Clients</h5>
+		<p class="text-right">
+			<a class="btn btn-primary" href="{{ url_for('service.oauth2_show', service_id=service.id) }}">
+				<i class="fa fa-plus" aria-hidden="true"></i> {{_("New")}}
+			</a>
+		</p>
+		<table class="table table-striped table-sm">
+			<thead>
+				<tr>
+					<th scope="col">{{ _('Client ID') }}</th>
+				</tr>
+			</thead>
+			<tbody>
+				{% for client in service.oauth2_clients|sort(attribute='client_id') %}
+				<tr>
+					<td>
+						<a href="{{ url_for("service.oauth2_show", service_id=service.id, db_id=client.db_id) }}">
+							{{ client.client_id }}
+						</a>
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+	</div>
+
+	<div class="col-12">
+		<hr>
+		<h5>API Clients</h5>
+		<p class="text-right">
+			<a class="btn btn-primary" href="{{ url_for('service.api_show', service_id=service.id) }}">
+				<i class="fa fa-plus" aria-hidden="true"></i> {{_("New")}}
+			</a>
+		</p>
+		<table class="table table-striped table-sm">
+			<thead>
+				<tr>
+					<th scope="col">{{ _('Name') }}</th>
+					<th scope="col">{{ _('Permissions') }}</th>
+				</tr>
+			</thead>
+			<tbody>
+				{% for client in service.api_clients|sort(attribute='auth_username') %}
+				<tr>
+					<td>
+						<a href="{{ url_for("service.api_show", service_id=service.id, id=client.id) }}">
+							{{ client.auth_username }}
+						</a>
+					</td>
+					<td>
+						{% for perm in ['users', 'checkpassword', 'mail_aliases', 'remailer'] if client.has_permission(perm) %}
+						{{ perm }}{{ ',' if not loop.last }}
+						{% endfor %}
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+	</div>
+	{% endif %}
+
+</div>
+
+<script>
+$(function () {
+  $('[data-toggle="tooltip"]').tooltip()
+})
+</script>
+{% endblock %}
No results found