Defect #44173
closedPassword reset security notification does not include IP address
Description
The password reset email notification doesn't include the IP address.
I have a Redmine 6.0.3 environment, and when I perform the password reset procedure from the Lost Password login home page, I'm sent an email to log in with a token.
After logging in with a token and resetting the password, Redmine notifies me via email, but the IP Address field is null.
this is a log, and remote_ip is nil.
I, [2026-06-15T08:42:33.474305 #2179] INFO -- : [ActiveJob] [Mailer::DeliveryJob] [7b90f747-4357-4b07-b15d-588dcb04e2ee] Performing Mailer::DeliveryJob (Job ID: 7b90f747-4357-4b07-b15d-588dcb04e2ee) from Async(mailers) enqueued at 2026-06-15T06:42:33.469476002Z with arguments: "Mailer", "security_notification", "deliver_now", {:args=>[#<GlobalID:0x00007f4fa254fb48 昇吾 津江=#<URI::GID gid://redmine-app/User/357>>, #<GlobalID:0x00007f4fa254f698 昇吾 津江=#<URI::GID gid://redmine-app/AnonymousUser/4>>, {:message=>"mail_body_password_updated", :title=>"button_change_password", :url=>{:controller=>"my", :action=>"password"}, :remote_ip=>nil}]}
How can I have the IP address included in the email notification?
If I change my password or email address, the IP address is notified and everything works normally.
The IP address is not included when accessing via token or resetting your password.
Thank you.
Files
Related issues
Updated by Go MAEDA 27 days ago
- File 44173.patch 44173.patch added
- Subject changed from IP Address is null :remote_ip=>nil to Password reset security notification does not include IP address
- Target version set to Candidate for next minor release
I was able to reproduce the issue where the IP address is blank in the security notification when a password is changed using a password recovery token.
The cause is that the password reset flow in AccountController#lost_password runs while the user is not logged in. In a normal logged-in request, ApplicationController#find_current_user identifies the current user and sets request.remote_ip on that user object. However, in the password reset flow using a recovery token, User.current remains User.anonymous, and Mailer.deliver_password_updated(@user, User.current) passes the anonymous user as the sender of the security notification. As a result, sender.remote_ip is nil, and the remote IP address is blank in the security notification.
The attached patch fixes this issue. It sets request.remote_ip on the user whose password was successfully reset, and then calls Mailer.deliver_password_updated(@user, @user). This makes the security notification show the affected user and the request IP address correctly, as it does for normal password changes by logged-in users.
Updated by Damiano Sparta 27 days ago
Thank you so much for your support.
Thanks to the patch you provided, the IP address and account are now included in the notification email.
Regards
Updated by Go MAEDA 27 days ago
- Target version changed from Candidate for next minor release to 6.0.11
Damiano Sparta wrote in #note-3:
Thanks to the patch you provided, the IP address and account are now included in the notification email.
Thank you for testing the patch. The fix will be delivered in the next maintenance release.
Updated by Marius BĂLTEANU 17 days ago
- Target version changed from 6.0.11 to 7.0.0
Updated by Marius BĂLTEANU 17 days ago
- Copied to Defect #44220: Backport password reset security notification does not include IP address added