I would love to get some feedback on the ACL implementation. If you find bugs etc., please let us know @ GitHub.
There is some info in the docs => https://mailcow.github.io/mailcow-dockerized-docs/model-acl/ – they still need more updates.
One improvement I see is to hide the divs completely and/or deny access to the functions ‘get’ methods. Let us know on Freenode, #mailcow.
Thanks for the idea to integrate haveibeenpwned.com, I like it! Sorry to haveibeenpwned.com for playing with it and trying a bunch of old passwords, I hope I didn’t hammer your API too much. 🙂
For your information: Your password is never sent to their API!
We only query the API with the first 5 characters of the SHA1 hash of the current input fields value (generated in your browser, not server-side) and check the response for matches of the full hash, still stored in your browser.