Project

General

Profile

Actions

Defect #44173

closed

Password reset security notification does not include IP address

Added by Damiano Sparta about 1 month ago. Updated 17 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Email notifications
Target version:
Resolution:
Fixed
Affected version:

Description

The password reset email notification doesn't include the IP address.
I have a Redmine 6.0.3 environment, and when I perform the password reset procedure from the Lost Password login home page, I'm sent an email to log in with a token.
After logging in with a token and resetting the password, Redmine notifies me via email, but the IP Address field is null.

this is a log, and remote_ip is nil.

I, [2026-06-15T08:42:33.474305 #2179] INFO -- : [ActiveJob] [Mailer::DeliveryJob] [7b90f747-4357-4b07-b15d-588dcb04e2ee] Performing Mailer::DeliveryJob (Job ID: 7b90f747-4357-4b07-b15d-588dcb04e2ee) from Async(mailers) enqueued at 2026-06-15T06:42:33.469476002Z with arguments: "Mailer", "security_notification", "deliver_now", {:args=>[#<GlobalID:0x00007f4fa254fb48 昇吾 津江=#<URI::GID gid://redmine-app/User/357>>, #<GlobalID:0x00007f4fa254f698 昇吾 津江=#<URI::GID gid://redmine-app/AnonymousUser/4>>, {:message=>"mail_body_password_updated", :title=>"button_change_password", :url=>{:controller=>"my", :action=>"password"}, :remote_ip=>nil}]}

How can I have the IP address included in the email notification?

If I change my password or email address, the IP address is notified and everything works normally.

The IP address is not included when accessing via token or resetting your password.
Thank you.


Files

clipboard-202606150855-xbyft.png (7.3 KB) clipboard-202606150855-xbyft.png Damiano Sparta, 2026-06-15 08:55
44173.patch (1.38 KB) 44173.patch Go MAEDA, 2026-06-18 08:31

Related issues

Copied to Redmine - Defect #44220: Backport password reset security notification does not include IP addressClosedGo MAEDAActions
Actions #1

Updated by Go MAEDA 29 days ago

  • Status changed from New to Confirmed
Actions #2

Updated by Go MAEDA 27 days ago

  • File 44173.patch 44173.patch added
  • Subject changed from IP Address is null :remote_ip=>nil to Password reset security notification does not include IP address
  • Target version set to Candidate for next minor release

I was able to reproduce the issue where the IP address is blank in the security notification when a password is changed using a password recovery token.

The cause is that the password reset flow in AccountController#lost_password runs while the user is not logged in. In a normal logged-in request, ApplicationController#find_current_user identifies the current user and sets request.remote_ip on that user object. However, in the password reset flow using a recovery token, User.current remains User.anonymous, and Mailer.deliver_password_updated(@user, User.current) passes the anonymous user as the sender of the security notification. As a result, sender.remote_ip is nil, and the remote IP address is blank in the security notification.

The attached patch fixes this issue. It sets request.remote_ip on the user whose password was successfully reset, and then calls Mailer.deliver_password_updated(@user, @user). This makes the security notification show the affected user and the request IP address correctly, as it does for normal password changes by logged-in users.

Actions #3

Updated by Damiano Sparta 27 days ago

Thank you so much for your support.
Thanks to the patch you provided, the IP address and account are now included in the notification email.
Regards

Actions #4

Updated by Go MAEDA 27 days ago

  • Target version changed from Candidate for next minor release to 6.0.11

Damiano Sparta wrote in #note-3:

Thanks to the patch you provided, the IP address and account are now included in the notification email.

Thank you for testing the patch. The fix will be delivered in the next maintenance release.

Actions #5

Updated by Go MAEDA 22 days ago

  • Status changed from Confirmed to Resolved
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the fix in r24808.

Actions #6

Updated by Marius BĂLTEANU 17 days ago

  • Status changed from Resolved to Closed
Actions #7

Updated by Marius BĂLTEANU 17 days ago

  • Target version changed from 6.0.11 to 7.0.0
Actions #8

Updated by Marius BĂLTEANU 17 days ago

  • Copied to Defect #44220: Backport password reset security notification does not include IP address added
Actions

Also available in: Atom PDF