@girish Basically these are php files that make use of db variables and properties defined in the GUI. However, to make (in my opinion essential) customizations, I need to edit these templates. These changes however are mostly to optimize the user experience.
For me they dont need to be editable during runtime. If i could make the changes persist in recovery mode and the restart the app with the adapted files in readonly, that would be perfect.
@JOduMonT thanks for the info and research. The encrypted password handling in dolibarr as described does not make too much sense for us, since the password might change during package update, depending on the database addon thus it always have to be fetched freshly. Further it will always be present in the app's environment as injected into the container.
For phpinfo() I am not sure how this is an attack angle, since if one is able to inject php code to run phpinfo() the attacker might as well just simply dump the env variables manually.
@privsec I enabled all modules you were showing in the screenshots but I cannot reproduce the log file issue. Is there anything else you configured? Also can you check via the webterminal what the permissions of the log file in question are?
and about workflows based on incoming mails i don't know if there is ready to use plugins but i will do that for my own dolibarr (a special pop/imap account for dolibarr and some actions on incoming mails, all of that is based on dolibarr API and calls from command line)