Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Email a user when any changes are made to their account #621

Closed
danielcompton opened this issue Feb 9, 2017 · 3 comments
Closed

Email a user when any changes are made to their account #621

danielcompton opened this issue Feb 9, 2017 · 3 comments
Labels
ready-for-work security
Projects
H1 2022 Security Improvements

Comments

@danielcompton
Copy link
Member

It would be good to email a user when any changes are made to their account or groups, and optionally email them when a deploy is made.
@tobias
Copy link
Member

tobias commented Feb 9, 2017

#153 is related, as it covers the email-on-deploy part of this.

@danielcompton
Copy link
Member Author

Send emails on important lifecycle events:

  • We should send emails to users every time their email or password is changed (sending an email to old and new account)
  • We should send emails to users when an artifact is deployed. We would probably want a way to unsubscribe from these emails on a per artifact basis. I’m also not sure who we would send the email to: just the user that deployed, the admins for the group, or everyone who has deploy permissions?
  • Email to admins and the user involved whenever someone is added/removed from a group
  • New artifact created

Those emails should have as much information as possible to help people detect if there is anything malicious happening. However we also need to balance GDPR and privacy concerns here. I would suggest:

  • IP address, with last octet removed
  • A geolocated location
  • Maybe the AS number and owner?
  • The user agent string
  • The time (ideally in UTC time and local time, though we don’t currently track a user’s local time)

@tobias tobias moved this from To do to In progress in H1 2022 Security Improvements Apr 23, 2022
@tobias tobias mentioned this issue May 3, 2022
Merged
@tobias
Copy link
Member

tobias commented May 3, 2022

#827 implements all of the user notifications:

  • password reset
  • password changed
  • email changed

And updates the MFA notifications to include more identifying information. Sending deployment notifications was handled in #153/#820, so all that is left is group membership changes.

tobias added a commit that referenced this issue Jun 28, 2022
@tobias
Send emails on group membership changes
d33dd49 
This will email the user that was added or removed from the group, along
with all group admins.

Implements #621.
@tobias tobias mentioned this issue Jun 28, 2022
Merged
tobias added a commit that referenced this issue Jun 29, 2022
@tobias
Send emails on group membership changes
5d3e459 
This will email the user that was added or removed from the group, along
with all group admins.

Implements #621.
tobias added a commit that referenced this issue Jun 29, 2022
@tobias
Send emails on group membership changes
936c9e0 
This will email the user that was added or removed from the group, along
with all group admins.

Implements #621.
@tobias tobias closed this as completed Jun 29, 2022
H1 2022 Security Improvements automation moved this from In progress to Done Jun 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ready-for-work security
Projects
H1 2022 Security Improvements
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tobias @danielcompton