No longer able to manage client passwords in v8**

[Tcalp]

Hi Guys,

WHMCS v8 has removed any ability for admins to manage / reset client passwords outside of sending them a password reset e-mail.  In the event that a customer cannot receive the reset e-mail password option we have no recourse aside from fudging manually with the system.  I discussed this matter with your support department, and the person agreed that there should possibly maintain away for administrators to manage passwords and suggested that I create a feature request.  I did so, and it got denied.

Anyone else out there using WHMCS still want to be able to reset clients passwords (Imagine cPanel removed this ability? lol) ?

[Si]

You should check out this thread tcalp

 

[yggdrasil]

You mean this is gone from version 8?

 

[steven99]

4 hours ago, yggdrasil said:

You mean this is gone from version 8?

Yup, those fields are no longer shown but rather blank spots where they were.  Even the security question and answer fields are no longer displayed.  So if you use those to verify clients when talking to you, you are out of luck.   That might be better for data security / privacy but come on clients don't remember what they exactly put in and sometimes that needs a human to figure it out.   For example, a security question of "what do you do every day at noon" could be answered "have lunch" or "lunch time" or "lunchtime" .  If they don't put in the very exact words, spacing, maybe even CaPitAls , they are out of luck and can't login .  When they contact you to help with that, you can't since you can't even see the the question and answer.   So they are locked out and you have no recourse to help since you can't even blank it out .  You have to mess with the database directly. 

This should be a admin role permission where a full admin can see those options and other roles can not .  (I checked and my full admin role has all permissions)

With that said, you can do password reset via the new Users tab -> dropdown menu next to "Remove" -> Password reset.  This still requires their email to work though as it sends the reset email .

EDIT:  Correction, security question can be seen under the drop down next to the user -> Security question.   Had not setup security questions on this test system and that wasn't shown until doing so. 

Edited November 17, 2020 by steven99
correction to security question bits.

[yggdrasil]

8 hours ago, steven99 said:

Yup, those fields are no longer shown but rather blank spots where they were.  Even the security question and answer fields are no longer displayed.  So if you use those to verify clients when talking to you, you are out of luck.   That might be better for data security / privacy but come on clients don't remember what they exactly put in and sometimes that needs a human to figure it out.   For example, a security question of "what do you do every day at noon" could be answered "have lunch" or "lunch time" or "lunchtime" .  If they don't put in the very exact words, spacing, maybe even CaPitAls , they are out of luck and can't login .  When they contact you to help with that, you can't since you can't even see the the question and answer.   So they are locked out and you have no recourse to help since you can't even blank it out .  You have to mess with the database directly. 

This should be a admin role permission where a full admin can see those options and other roles can not .  (I checked and my full admin role has all permissions)

With that said, you can do password reset via the new Users tab -> dropdown menu next to "Remove" -> Password reset.  This still requires their email to work though as it sends the reset email .

EDIT:  Correction, security question can be seen under the drop down next to the user -> Security question.   Had not setup security questions on this test system and that wasn't shown until doing so. 

I replied to that initial thread and someone said the function is still there. Now you confirm its gone in v8?

Which one is it? If WHMCS has removed this from v8 I will not upgrade.

I have people in person or on the phone (which I know personally) that ask me to change their passwords and now I can't do it anymore? What use does the admin have for the staff side if one if not the most important task cannot be done accomplished.

This is dumb. It has nothing to do with security either, you can still log into users account and if you set a password manually this is something every admin system allows you to do. Why would WHMCS remove the change password fields in v8???? Serious, why? It's not as you don't have already access to the database or can't achieve the same with some hook.

If this is true, then again version 8 is a downgrade, they keep removing stuff from the system. 😠

[Tcalp]

27 minutes ago, yggdrasil said:

I have people in person or on the phone (which I know personally) that ask me to change their passwords and now I can't do it anymore? What use does the admin have for the staff side if one if not the most important task cannot be done accomplished.

This is dumb. It has nothing to do with security either, you can still log into users account and if you set a password manually this is something every admin system allows you to do. Why would WHMCS remove the change password fields in v8???? Serious, why? It's not as you don't have already access to the database or can't achieve the same with some hook.

While you can login as them still, to change the password in the client area in v8 it also requires the current password of the user,  you have to fudge with the system to change the password now (such as changing the e-mail address of the user to a junk account, and using it to reset/change the password and then changing it back).  I can certainly understand taking efforts to better secure customers passwords, but entirely removing the administrative ability to reset the password on behalf of the customer is completely aloof. 

[yggdrasil]

32 minutes ago, Tcalp said:

While you can login as them still, to change the password in the client area in v8 it also requires the current password of the user,  you have to fudge with the system to change the password now (such as changing the e-mail address of the user to a junk account, and using it to reset/change the password and then changing it back).  I can certainly understand taking efforts to better secure customers passwords, but entirely removing the administrative ability to reset the password on behalf of the customer is completely aloof. 

I know plenty of enterprise systems, far better in security than WHMCS. All of them (admin back end) lets you force a user password change. What purposes does a back end have if you cannot manipulate data...????

From a security standpoint removing this has NO, ZERO effect on the account's security.

Forcing a user's password is still hashed, it's not saved in clear text. No risk involved.

If WHMCS assumption is here "We don't want, you to know YOUR customers password" this is idiotic. It's my customer, not theirs. As you said, you can just use a dummy email account and still know the password, they now just add another layer of complication to the equation. Also, we already have full access to the database, I can manually change whatever password I want and still know my customers passwords because it's my data.

And without mentioning that, well WE DON'T need the customers password in the first place as we can just impersonate the account. We don't care about the user's password.

And finally, you can make a hook that does the same.

What is the purpose of WHMCS removing this besides making it more complex and killing an especially useful feature in the back end?

The only thing that comes to my mind is they don't want your staff to randomly change users' passwords. If this is the WHY they did this, it's a dumb approach. They should just add a permission and problem solved. That way we as admins can set specific staff users not to have the option to change a password or impersonate a user. Therefore permissions exist and you can give or remove specific permissions to your staff.

Now completely removing the function is just going nuclear and making the whole admin side less useful. It makes no sense. Forcing a user's password change is one of the most, if not the most common tasks someone will look on a user's account. It seems WHMCS thinks that everyone using WHMCS just has random users online from a website. Don't they understand that some of us know our customers in person? And they are in front of us and we need to tell them now "Sorry, our fancy billing system does not let us change your password manually"

This is seriously a joke. An admin software that does not let you change user's password. Then again, I'm not surprised because in v8 it seems you cannot remove users either. People are complaining about this because they either did not upgraded yet or are not even aware something this BASIC was removed from the customer profile.

The devil in me tells me something different. I suspect why they are removing things like that. WHMCS is trying to slowly kill the self-hosted edition of WHMCS and move it to a cloud service. Then it makes no sense to offer things like this because you don't have access to the database. Their whole final idea is lock in. The self-hosted edition will be killed, and you will have to pay them monthly to use WHMCS and store your database with them. And your data and customers is now theirs. And eventually they will even email your customers directly and try to sell them things directly and claim it was a mistake. I saw this so many times. This is speculation but this is the only reason I can think why they don't added features like removing sub accounts in v8 or why they remove the password change feature. If someone takes a deep look at what they are adding in terms of features and removing, it all points to a version that will be cloud only and self-hosted killed. This is why they are slowly locking things down more and more and removing things that only makes sense on a self-hosted server edition.

WHMCS will claim otherwise but just see each release and what brings and what it removes, and all things start to make sense. I suspect our future with WHMCS is already compromised. I refuse to believe they are doing this things by mistake because nobody would think removing something like this makes any sense at all or not adding a way to remove sub contacts in v8. The reason is they don't need customers to remove things. In their cloud service they will bill per users and customers and they will remove them from their back end. They don't want you to manipulate the database because it will be billed from their side.

They already are moving towards that, owned license cannot be purchased anymore. Only leased. Then they introduced it billing by number of customers (your WHMCS now transfers that data) and they already confirmed here in the community that they plan a cloud hosted edition. Eventually they will move towards that and bill for everything, based on the number of customers, products, etc. Maybe even a % of your income in the future. This is why the marketplace makes so much sense for them.

Of course they will lose most customers that cannot host billing & users data with them for compliance and regulatory reasons. But I suspect they don't care. Lucky for us, there are alternatives. I'm very disappointed with how the future looks with WHMCS because there is none for us that host it with our own servers. Granted, this is all speculation but the changes they are doing since version 6 are pointing towards that. Its all about vendor lock in.

[brian!]

16 hours ago, yggdrasil said:

You mean this is gone from version 8?

yes.

2 hours ago, yggdrasil said:

Which one is it? If WHMCS has removed this from v8 I will not upgrade.

v7.10.2 client profile compared to v8.0.4 equivalent profile...

the option to directly enter a password for client is removed.... technically, client's no longer log in anyway, it's users that login - though you can't change their passwords directly either.

https://blog.whmcs.com/133651/whmcs-80--how-to-use-the-new-users-and-accounts-functionality

Quote

Q: As an admin, I don't seem to have the ability to delete users? I consolidated some accounts and now have extra users that are not required. There is no delete!?

A: I can confirm there is no ability to delete users. Leaving dormant user accounts will not cause any issues however.

I find this situation somewhere between absurd and intolerable. Whether we update or not now hangs in the balance. Perhaps you can at least provide an SQL statement to delete users with no associated clients? And I disagree with your statement that dormant user accounts "will not cause issues". Since I see no way to even deactivate a user surely this may not only be a security question, but also a GDPR topic - we're storing personal private data and cannot delete it, even when that user tells us to - an absolute no-go.

If you do happen to receive a GDPR removal request, you can satisfy it by anonymising the record which is easily accomplished via the admin UI.

With that said, we have received a number of requests for a delete option, and this is something that the team is slating to deliver in the next major release.

[steven99]

Under the users tab there is a "Remove" button for users that are associated with the client.  Or is that issue with just sub accounts that get converted to users and not like associating one client user with another?   Though that feature is sort of nice but have not played around with it enough to know for sure. 

Having users that are not used, potentially from a client's ex-employee, is a security risk if it can't be deleted or deactivated and especially since you can't change the password!   And changing the email address for the user isn't a solution as the user email has to be unique.  Changing it to some random user may work but that introduces other issues like that email address having to exist to avoid email bounces and what if that email address gets hacked?  Now you have multiple systems with users that don't need to be there.   

[yggdrasil]

4 hours ago, brian! said:

yes.

v7.10.2 client profile compared to v8.0.4 equivalent profile...

the option to directly enter a password for client is removed.... technically, client's no longer log in anyway, it's users that login - though you can't change their passwords directly either.

https://blog.whmcs.com/133651/whmcs-80--how-to-use-the-new-users-and-accounts-functionality

Not only they removed the password but also the security question!!! Excellent job WHMCS developers. I was not aware that version 8 is a downgrade since they removed features.

[yggdrasil]

1 hour ago, steven99 said:

Under the users tab there is a "Remove" button for users that are associated with the client.  Or is that issue with just sub accounts that get converted to users and not like associating one client user with another?   Though that feature is sort of nice but have not played around with it enough to know for sure. 

Having users that are not used, potentially from a client's ex-employee, is a security risk if it can't be deleted or deactivated and especially since you can't change the password!   And changing the email address for the user isn't a solution as the user email has to be unique.  Changing it to some random user may work but that introduces other issues like that email address having to exist to avoid email bounces and what if that email address gets hacked?  Now you have multiple systems with users that don't need to be there.   

Any user or account that is not used is a security risk. You can turn the feature off so that customers cannot create accounts, ah wait, there is no feature for that either...

[steven99]

4 minutes ago, yggdrasil said:

Not only they removed the password but also the security question!!! Excellent job WHMCS developers. I was not aware that version 8 is a downgrade since they removed features.

See my above post on that .  The security question is under the Users tab -> drop down menu -> Security question as long as security questions are setup.   You can not change the question or answer as both fields are readonly.   If no security question is set for the user, then the option is disabled.  i have had to change the question and answer a few times for clients because clients. 😉     I think this stuff should be allowed via role permissions.  Don't want to allow a low level employee to change it?  Okay sure, but allow a manager or even owner of the company to.    

[yggdrasil]

54 minutes ago, steven99 said:

See my above post on that .  The security question is under the Users tab -> drop down menu -> Security question as long as security questions are setup.   You can not change the question or answer as both fields are readonly.   If no security question is set for the user, then the option is disabled.  i have had to change the question and answer a few times for clients because clients. 😉     I think this stuff should be allowed via role permissions.  Don't want to allow a low level employee to change it?  Okay sure, but allow a manager or even owner of the company to.    

Readonly is an HTML field in the browser. Did you tried deleting that and changing to see if it works? Right click, inspect, remote the read only and try to change the data and see if it works.

Agree, the fields should be permissions/roles. I'm the top admin of my installation, I should be able to change anything I want. I already can because I have just change the database fields directly. This is just WHMCS making it more annoying and less productive since now instead of just clicking and typing directly something in the admin interface I need to do it directly on the database. Somehow WHMCS thinks its a great approach to make you less productive. I don't understand what they are trying to achieve with that stuff. Its my database and my data, I can change anything they want when I want. Locking us out from the interface will have no effect, developers will just create a hook or an alternative admin theme that works as expected.

[steven99]

Did not try removing read only property as there is no submit / save button and just a close.    Removed read only and hit enter as an attempt to submit and did not submit.   There is a hidden submit button and unhide that but does not submit.   Seems like a javascript is blocking / preventing the form submit for that form.   Then sent a POST request to that url with inputAnswer and inputQuestion and was given a 404 -- which indicates they have not yet set a route for it.  Besides all that, the two fields do not have ids or names set.  I got those field names from the labels "for" . So yeah nope it not going to work.    Though the fields are in a form with an action of /admin/client//user/<UID>/manage/save .  So it does seem to be almost there .

As for why, I think you answered that in your previous post of stating they are getting ready to do a SaaS /cloud hosted only version.  Though I think it is closer to the devs just not completing it and its half good.  At least you can sort of fudge the the system by getting the combo, logging in as the client, and changing the security question via the client area and inputting the combo when asked to verify .    And with that in mind, why in the gray goose are they limiting the admin?  To bad the password change in the client area doesn't require the security question instead for changing passwords. 

Edited November 18, 2020 by steven99

[Manchester Web Hosting]

On 11/17/2020 at 2:12 AM, steven99 said:

EDIT:  Correction, security question can be seen under the drop down next to the user -> Security question.   Had not setup security questions on this test system and that wasn't shown until doing so. 

no wonder we couldnt see it. What daftness is this?

On 11/17/2020 at 12:44 PM, yggdrasil said:

The devil in me tells me something different. I suspect why they are removing things like that. WHMCS is trying to slowly kill the self-hosted edition of WHMCS and move it to a cloud service. Then it makes no sense to offer things like this because you don't have access to the database. Their whole final idea is lock in. The self-hosted edition will be killed, and you will have to pay them monthly to use WHMCS and store your database with them. And your data and customers is now theirs. And eventually they will even email your customers directly and try to sell them things directly and claim it was a mistake. I saw this so many times. This is speculation but this is the only reason I can think why they don't added features like removing sub accounts in v8 or why they remove the password change feature. If someone takes a deep look at what they are adding in terms of features and removing, it all points to a version that will be cloud only and self-hosted killed. This is why they are slowly locking things down more and more and removing things that only makes sense on a self-hosted server edition.

WTF long term owners of self-hosted. Really hope this isnt the case wouldnt be surprised IF it is but then will ditch it all together. Agree they are slowly killing the most useful features and not even releasing features that are useful OR those that the users and community have been crying out for many years. Sadly dont know of anything that can match or beat whmcs... for now...

On 11/17/2020 at 12:44 PM, yggdrasil said:

Lucky for us, there are alternatives.

Please do tell... PM if need be...

 

[bear]

17 minutes ago, Manchester Web Hosting said:

WTF long term owners of self-hosted. Really hope this isnt the case wouldnt be surprised IF it is but then will ditch it all together.

It becomes a little less far fetched when you learn they quietly stopped allowing owned licenses to be sold by current license holders at the end of September. 
Starts to make this a little less implausible, IMHO.
Love to be wrong. Gut says there's a chance...

[Manchester Web Hosting]

1 minute ago, bear said:

It becomes a little less far fetched when you learn they quietly stopped allowing owned licenses to be sold by current license holders at the end of September. 
Starts to make this a little less implausible, IMHO.
Love to be wrong. Gut says there's a chance...

Wow, didnt know that. Luckily we got a second owned license back in may from a company that went 'away' just in time I guess.

someone suggested in another post there was an alternative to whmcs... no reply yet. maybe once they do it may be worth considering 🤔

[yggdrasil]

41 minutes ago, bear said:

It becomes a little less far fetched when you learn they quietly stopped allowing owned licenses to be sold by current license holders at the end of September. 
Starts to make this a little less implausible, IMHO.
Love to be wrong. Gut says there's a chance...

I assume that does not apply to people that purchased the license before that change. How else would this work? When you purchased the license the terms of services and sales agreement was different, how do they legally expect to apply a new term of services to people that purchased the license years ago? My point is that most of us did not accepted those modified terms and we purchased the license under a previous agreement.

I don't think that is even legal, not in the EU or in most countries. Example: I sell you one thing under one agreement, then years later I changed it to take away some rights. You already purchased the software under a different agreement and they cannot apply the new one to a past purchase.

[Manchester Web Hosting]

4 minutes ago, yggdrasil said:

I don't think that is even legal, not in the EU or in most countries. Example: I sell you one thing under one agreement, then years later I changed it to take away some rights. You already purchased the software under a different agreement and they cannot apply the new one to a past purchase.

Spot on. Had our license for yeeeeears. cant see not being able to sell it IF we were desperate too but then again we are talking about whmcs!

[yggdrasil]

1 hour ago, Manchester Web Hosting said:

no wonder we couldnt see it. What daftness is this?

WTF long term owners of self-hosted. Really hope this isnt the case wouldnt be surprised IF it is but then will ditch it all together. Agree they are slowly killing the most useful features and not even releasing features that are useful OR those that the users and community have been crying out for many years. Sadly dont know of anything that can match or beat whmcs... for now...

Please do tell... PM if need be...

 

I personally don't feel there is much life left for us self-hosted and owned licenses. Therefore I stopped buying WHMCS modules and investing time on adding things, modifying, or updating like in the past (I keep losing them anyway with new releases as they remove or change how things work...). 

Don't get me wrong. I love WHMCS and there is nothing more I would like to keep adding things, with hooks, API, new themes. I even purchased their license addon and project manager. I feel WHMCS works well for me in terms of feature so far. But I feel something bad in my stomach with each new release and I suffered this before with other billing systems. They are locking and closing things down and something in me tells me the future for us self-hosted is not certain. This is why I stopped investing my time with WHMCS, because I'm not sure if I will keep using it for years to come. Not because of me, but because WHMCS will slowly forces us out. This is like what Apple is doing to MacOS users. They are gently removing things in the OS and try to turn it into a wallet garden lock, which runs only in their hardware and then that will only be able to run software that was purchased from Apple. They already removed VPN and firewall features from the latest version.

I feel WHMCS is somehow doing the same. Maybe I'm wrong, but that is how I feel when I see them removing basic features and introducing more stuff that does not make sense for self-hosted users but more sense to them running services directly to end customers. I do believe WHMCS is testing waters and they will try. But I also suspect they are going to lose so many customers in the process that they are going to back pedal fast or go bust because those people are going to go to their competitors and that competitor is going to get more revenue and be able to develop more stuff faster, not to mention receive more feedback and third-party developers' integration.

In the past you only had modules for WHMCS and now I see developers are slowly starting to develop for their competitor as well. This means, WHMCS is indeed losing users to them. The problem is that most are going to be gone when they realize they are losing users. And by losing users, it's not just about money but branding and referrals. Like Bear said he recommended WHMCS in the past to people and not he doesn't anymore. I'm in the same boat. I don't feel appreciate or valued as a long-term customer. There is little to no communication from people working at WHMCS, they only emails I receive from them are when they announce a new version which I think for 2 years now has added almost nothing to self-hosted customers.  When I mean self hosted I mean features that run in your server, not some API to a paid third party. And when they do add things they don't even add them as options. They just force them directly to everyone like the SSL check and other things. They just remove things without asking or consider who is using something and they just add something directly without feedback or options to turn it off or on.

[steven99]

55 minutes ago, Manchester Web Hosting said:

someone suggested in another post there was an alternative to whmcs... no reply yet. maybe once they do it may be worth considering 🤔

I think that is a discussion thread of its own.  There are few out there with some saying they are not as good but usually it comes down to not having as many modules or differences that need to be adjusted to.   Hostbill, Blesta, Clientexec come to mind right off.   Over on WHT there have been calls for a open source alternative but nothing has ever come from it.   WHMCS is still the to go to because of large community it has. 

[yggdrasil]

58 minutes ago, Manchester Web Hosting said:

Wow, didnt know that. Luckily we got a second owned license back in may from a company that went 'away' just in time I guess.

someone suggested in another post there was an alternative to whmcs... no reply yet. maybe once they do it may be worth considering 🤔

I don't think we can mention the alternatives here. Which again is not only strange but awkward. If I were the owner or running WHMCS and I feel secure about my product I would not mind people discussing the competitors. In 2020 with social networks and people being a click away to search something it makes no sense pretending to hide something. People just move the discussion away from their control which is even worst. I would not mind if people discuss my competitors in my community because it would give me a chance to see where I lack and how I can improve or why my customers are picking or considering other options. WHMCS on the other part I think will ban you if you mention alternatives here. The irony is that none of the alternatives are perfect either and they also have some problems, mostly lacking features, but at least the things they do have work great and they.

[Manchester Web Hosting]

11 minutes ago, yggdrasil said:

But I also suspect they are going to lose so many customers in the process that they are going to back pedal fast or go bust because those people are going to go to their competitors and that competitor is going to get more revenue and be able to develop more stuff faster, not to mention receive more feedback and third-party developers' integration.

Dont believe that will the case. DIdnt happen when cpanel itself was purchased and then moved to their new model and considering cpanel now technically owns whmcs...

7 minutes ago, yggdrasil said:

Don't get me wrong. I love WHMCS and there is nothing more I would like to keep adding things, with hooks, API, new themes. I even purchased their license addon and project manager. I feel WHMCS works well for me in terms of feature so far.

Exactly how we feel, but the way the road is unfolding doesnt install any confidence tbh.

4 minutes ago, steven99 said:

Over on WHT there have been calls for a open source alternative but nothing has ever come from it. 

Yup tried the ones you mentioned. they got someway to go yet... big fan of opensouce but something thats comparable to whmcs... nada yet and nothing insight

3 minutes ago, yggdrasil said:

WHMCS on the other part I think will ban you if you mention alternatives here. The irony is that none of the alternatives are perfect either and they also have some problems, mostly lacking features, but at least the things they do have work great and they.

Well not going to mention any names. Feature wise they have got a way to go yet...

[yggdrasil]

5 minutes ago, steven99 said:

I think that is a discussion thread of its own.  There are few out there with some saying they are not as good but usually it comes down to not having as many modules or differences that need to be adjusted to.   Hostbill, Blesta, Clientexec come to mind right off.   Over on WHT there have been calls for a open source alternative but nothing has ever come from it.   WHMCS is still the to go to because of large community it has. 

I had the first one you mentioned. I sold it before moving to WHMCS.

I'm considering the second or building my own. I think the biggest drawback for the second one is their domain part, but they are working on that. (nobody makes money with domains anyway anymore....)

I just checked their change log and features today, and they do keep adding things that people request. Development looks at least open and friendly. Its very, but very behind WHMCS in terms of third party modules and features but then again do you need everything?

The biggest reason I'm attracted to them even with how simple it is:

1. They are in business for years. They are adding features on every new release. Never removing anything.

2. It's completely open. You can code and customize it as you want.

3. Number 2 means enterprise/business friendly. They cannot just pull some shenanigans behind some code because you can see everything. Even if they did, you would be able to remove it. This is the biggest selling point for me because it means stability. You will stick to that.

4. They invest in development instead of marketing. While WHMCS makes fancy pages and videos, they have a proper request feature system they participate, a public change log, they properly write the change logs... This is how software should be build.

5. I know big brand hosting company that left WHMCS for them. Mainly because again, they could not fix the bugs in WHMCS because of the obfuscation, and they probably saw before me this will come to bite you eventually.

[bear]

36 minutes ago, yggdrasil said:

I assume that does not apply to people that purchased the license before that change. How else would this work? When you purchased the license the terms of services and sales agreement was different, how do they legally expect to apply a new term of services to people that purchased the license years ago? My point is that most of us did not accepted those modified terms and we purchased the license under a previous agreement.

I don't think that is even legal, not in the EU or in most countries. Example: I sell you one thing under one agreement, then years later I changed it to take away some rights. You already purchased the software under a different agreement and they cannot apply the new one to a past purchase.

It applies to all owned licenses, which you could only sell once, and only if you bought directly. As for terms, most of those are not permanent, and can change over time. The new terms don't change your ownership, they just disallow selling it. At some point in the future,  I'd assume they could say the owned version will no longer be developed (look to Kayako for precedent) or supported or perhaps have a gigantic support price increase that most would say no to and that's that (again, Kayako is a good example). 
This may be a big worry over nothing, but with the pattern of things of late, no longer a sure thing not to happen.