Feature #21421

Security Notifications when security related things are changed

Added by Jan from Planio www.plan.io over 1 year ago. Updated 8 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Security
Target version:3.3.0
Resolution:Fixed

Description

As a user I want to receive an email whenever something security related (e.g. my password, my account email address) is changed.

As an admin, I would like to receive also emails about global changes (e.g. "login required" disactivated) or the addition/removal of other admins.

The attached patch series against current trunk implements this. Would be great if that could be included in one of the next releases. Thanks!

0001-Store-user-s-IP-address-for-the-duration-of-the-requ.patch Magnifier (2.37 KB) Jan from Planio www.plan.io, 2015-12-04 09:29

0005-Harmonize-setting-labels.patch Magnifier (4.29 KB) Jan from Planio www.plan.io, 2015-12-04 09:29

0000-Add-optional-user-parameter-to-I18n-format_time-to-o.patch Magnifier (1.21 KB) Jan from Planio www.plan.io, 2015-12-11 12:33

0002-Add-Mailer-security_notification.patch Magnifier (6.68 KB) Jan from Planio www.plan.io, 2015-12-11 12:33

0004-Send-a-security-notification-when-a-user-s-email-add.patch Magnifier (8.83 KB) Jan from Planio www.plan.io, 2015-12-12 14:30

0006-Send-a-security-notification-when-certain-settings-a.patch Magnifier (5.64 KB) Jan from Planio www.plan.io, 2015-12-13 07:10

0003-Send-a-security-notification-when-a-user-s-password-.patch Magnifier (4.03 KB) Jan from Planio www.plan.io, 2015-12-13 08:13

0007-Send-a-security-notification-when-users-gain-or-loos.patch Magnifier (8.34 KB) Jan from Planio www.plan.io, 2015-12-13 08:36

0008-Allow-overriding-of-originator-and-remote_ip-causing-a-s.patch Magnifier (4.61 KB) Jan from Planio www.plan.io, 2015-12-13 09:38


Related issues

Related to Redmine - Defect #23369: encoding error in locales de.yml Closed

Associated revisions

Revision 15094
Added by Jean-Philippe Lang over 1 year ago

Add optional user parameter to I18n#format_time to (#21421).

This is useful for mails where times should be displayed in the timezone of the recipient - not the current user causing the mail to be sent.

Revision 15145
Added by Jean-Philippe Lang about 1 year ago

Security notifications when password or email adress is changed (#21421).

Patch by Jan Schulz-Hofen.

Revision 15146
Added by Jean-Philippe Lang about 1 year ago

Harmonize setting labels (#21421).

For every setting, there should always is be a "setting_%{label}
Patch by Jan Schulz-Hofen.

Revision 15147
Added by Jean-Philippe Lang about 1 year ago

Harmonize setting labels (#21421).

Revision 15148
Added by Jean-Philippe Lang about 1 year ago

Send a notification when security settings are changed (#21421).

Revision 15149
Added by Toshi MARUYAMA about 1 year ago

generate i18n keys (#21421)

Revision 15265
Added by Jean-Philippe Lang about 1 year ago

Send a security notification when users gain or loose admin (#21421).

Patch by Jan Schulz-Hofen.

Revision 15266
Added by Jean-Philippe Lang about 1 year ago

Send a single email to admins like other notifications (#21421).

Revision 15267
Added by Jean-Philippe Lang about 1 year ago

Let the mailer set the email content (#21421).

Revision 15269
Added by Jean-Philippe Lang about 1 year ago

Adds instance name to the security notification subject (#21421).

Revision 15399
Added by Jean-Philippe Lang 12 months ago

Adds a specific string for password changed notification (#21421).

Revision 15402
Added by Jean-Philippe Lang 12 months ago

Don't send a notification to the dummy email address of the default admin account (#21421).

Revision 15696
Added by Toshi MARUYAMA 9 months ago

fix encoding error in de.yml (#23369, #21421)

Revision 15697
Added by Toshi MARUYAMA 9 months ago

Merged r15696 from trunk to 3.3-stable (#23369, #21421)

fix encoding error in de.yml.

History

#1 Updated by Jan from Planio www.plan.io over 1 year ago

  • Description updated (diff)

#2 Updated by Jean-Philippe Lang over 1 year ago

  • Target version changed from Candidate for next major release to 3.3.0

Nice addition but maybe a bit late for 3.2.0. I'm assigning it to 3.3.0

#3 Updated by Jan from Planio www.plan.io over 1 year ago

Jean-Philippe Lang wrote:

Nice addition but maybe a bit late for 3.2.0. I'm assigning it to 3.3.0

Thanks for your feedback. 3.3.0 would be great!

After review, I'm also updating the patch series:

  • replace bogus gmail address with more appropriate example.foo address
  • rebase on current master (fixed a test)
  • use correct time zone for mails

#4 Updated by Jan from Planio www.plan.io over 1 year ago

  • File deleted (0002-Add-Mailer-security_notification.patch)

#5 Updated by Jan from Planio www.plan.io over 1 year ago

  • File deleted (0007-Send-a-security-notification-when-users-gain-or-loos.patch)

#6 Updated by Jan from Planio www.plan.io over 1 year ago

  • File deleted (0004-Send-a-security-notification-when-a-user-s-email-add.patch)

#7 Updated by Jan from Planio www.plan.io over 1 year ago

Fix Patch 4 so that the user whose email address is changed gets the mail (not the current user). They might differ in case an admin changes email addresses for a different user.

#8 Updated by Jan from Planio www.plan.io over 1 year ago

  • File deleted (0007-Send-a-security-notification-when-users-gain-or-loos.patch)

#9 Updated by Jan from Planio www.plan.io over 1 year ago

  • File deleted (0006-Send-a-security-notification-when-certain-settings-a.patch)

#10 Updated by Jan from Planio www.plan.io over 1 year ago

Fix patches 6 and 7 so that security notifications only get sent to active admins only.

#11 Updated by Jan from Planio www.plan.io over 1 year ago

  • File deleted (0003-Send-a-security-notification-when-a-user-s-password-.patch)

#12 Updated by Jan from Planio www.plan.io over 1 year ago

Fix patch 3 to also send a security notification when the user's password is changed after a lost password.

#13 Updated by Jan from Planio www.plan.io over 1 year ago

  • File deleted (0007-Send-a-security-notification-when-users-gain-or-loos.patch)

#14 Updated by Jan from Planio www.plan.io over 1 year ago

Fix patch 7 to only send security notifications when admins are active.

#15 Updated by Jan from Planio www.plan.io over 1 year ago

Adding patch 8 which allows overriding of originator and remote_ip causing a security notification and use these overrides in lost password procedure (where no real session is initiated).

#16 Updated by Jean-Philippe Lang 12 months ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Feature added with a few changes, eg. we're sending one email about changed settings to all admins instead of one email to each amdin for each setting.
Thanks.

#17 Updated by Toshi MARUYAMA 9 months ago

  • Related to Defect #23369: encoding error in locales de.yml added

#18 Updated by Joel Bearden 9 months ago

This is a nice feature. How do I turn these notifications off? Or limit the recipient list?

#19 Updated by Toshi MARUYAMA 8 months ago

Joel Bearden wrote:

This is a nice feature. How do I turn these notifications off? Or limit the recipient list?

Please create new feature issue.

Also available in: Atom PDF