Defect #32193

Add turn on/off button to control sending security notifications

Added by Hinako Tajima 10 months ago. Updated 10 months ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution: Affected version:

Description

For sending security notifications, I wish to add the function that to make possible with controlling turn on/off by configuration or management console.

セキュリティ通知メールの送信を設定でON/OFFできるようにしてほしい。


Related issues

Related to Redmine - Feature #21421: Security Notifications when security related things are c... Closed

History

#1 Updated by Go MAEDA 10 months ago

  • Related to Feature #21421: Security Notifications when security related things are changed added

#2 Updated by Go MAEDA 10 months ago

  • Category set to Security

I think the "Administration" page must not have such a setting. It can be abused by a malicious admin.

But I think adding a setting to turn off security notifications in config/configuration.yml is OK because only a few people can touch the file and those who can update the file and restart Redmine have many other ways to disable security notifications such as changing SMTP settings and modifying the source code of Redmine.

My idea of the configuration to control security notification is like this:

diff --git a/config/configuration.yml.example b/config/configuration.yml.example
index a8b6be83c..563b68f9f 100644
--- a/config/configuration.yml.example
+++ b/config/configuration.yml.example
@@ -175,6 +175,15 @@ default:
   #sudo_mode: true
   #sudo_mode_timeout: 15

+  # Sends a security notification when security-related things are changed.
+  # A user receives notifications when security-related changes are made to
+  # their account (e.g. password or email address).
+  # Admins receives notifications about security-related global settings or
+  # addition/removal of other admins.
+  # Enabled by default.
+  #
+  #security_notification: true
+
   # Absolute path (e.g. /usr/bin/convert, c:/im/convert.exe) to
   # the ImageMagick's `convert` binary. Used to generate attachment thumbnails.
   #imagemagick_convert_command:

#3 Updated by Mischa The Evil 10 months ago

Go MAEDA wrote:

I think the "Administration" page must not have such a setting. [...]

I agree. If this is really something that we want to make configurable, which I would not prefer, the best place to do that is via the configuration.yml file.

@Hinako Tajima: could you please elaborate some more on the reasons why you want to have this configurable? What's the use case?

#4 Updated by Hinako Tajima 10 months ago

Go MAEDA wrote:

My idea of the configuration to control security notification is like this:

[...]

Thank you for your comment and your contribution to the configuration.

Mischa The Evil wrote:

@Hinako Tajima: could you please elaborate some more on the reasons why you want to have this configurable? What's the use case?

The user whose mail setting is "not send" as a default setting, but he/she can't control the setting for security notification. This is the reason why I required to add this function.

Also available in: Atom PDF