Modify

Opened 2 years ago

Closed 2 months ago

Last modified 2 months ago

#13312 closed defect (fixed)

Password reset and e-mail verification mails are sent out to smtp_public_cc addresses on Trac 1.2

Reported by: Frau Boonekamp Owned by: Ryan J Ollos
Priority: highest Component: AccountManagerPlugin
Severity: blocker Keywords:
Cc: Thomas Moschny, Peter Suter Trac Release:

Description (last modified by Frau Boonekamp)

We have found that AccountManager emails have been sent to our public mailing list, once we upgraded to Trac 1.2.2.

See this password email and this user verification mail.

The issue seems to be that the new notification system no longer uses the get_smtp_address method, so the override will no longer work.

For now we have disabled sending emails to the public cc mailing list.

Attachments (0)

Change History (19)

comment:1 Changed 2 years ago by Frau Boonekamp

Description: modified (diff)

comment:2 Changed 2 years ago by Ryan J Ollos

See also #13074. Please share your [notification] and [account-manager] sections, with sensitive information obfuscated.

comment:3 Changed 2 years ago by Ryan J Ollos

Status: newaccepted

comment:4 Changed 2 years ago by anonymous

[account-manager]
account_changes_notify_addresses = 
authentication_url = 
db_htdigest_realm = temp
force_passwd_change = disabled
hash_method = HtDigestHashMethod
htdigest_file = /srv/trac/XXX/auth/trac.htdig
htdigest_realm = haiku
notify_actions = 
password_store = HtDigestStore
persistent_sessions = enabled
refresh_passwd = disabled
register_check = BasicCheck,EmailCheck,RegExpCheck,UsernamePermCheck,RegistrationFilterAdapter
user_lock_max_time = 86400
verify_email = enabled

[notification]
smtp_public_cc = XXX@freelists.org
maxheaderlen = 78
mime_encoding = qp
smtp_enabled = enabled
smtp_from = trac@XXX.org
smtp_from_author = enabled
smtp_replyto = noreply@XXX.org
smtp_server = localhost
use_public_cc = disabled
Last edited 2 years ago by Ryan J Ollos (previous) (diff)

comment:5 in reply to:  4 Changed 2 years ago by Frau Boonekamp

Would it be an option to rewrite the configuration temporarily while sending, like is done with the use_public_cc configuration setting?

comment:6 Changed 2 years ago by Ryan J Ollos

We need to add support for the new notification system in Trac: #13124. I hope to address that in the coming weeks.

comment:7 Changed 22 months ago by David Bonnin

any news? i just made mistake at job with that today, lol.

comment:8 Changed 19 months ago by Thomas Moschny

Cc: Thomas Moschny added

Also seeing this with 1.2.2 and notification.smtp_always_cc set.

comment:9 Changed 13 months ago by Amar Takhar

This was fixed in ticket #8796.

comment:10 Changed 3 months ago by Niels Sascha Reedijk

See #13124 for a patch that has been tested on Trac 1.3.6.

comment:11 Changed 2 months ago by Ryan J Ollos

Cc: Peter Suter added

@psuter: I hope you don't mind that I CC you for advice. I'm working on a patch for #13124 that uses the new notification system. I recall some discussion previously about the implementation of smtp_always_cc and smtp_always_bcc implemented in AlwaysEmailSubscriber.

Is there a good way to avoid that subscriber for a realm such as 'account'?

comment:12 Changed 2 months ago by Peter Suter

No worries. :) Yes, I vaguely remember previous discussion about this. I found #13074. I have not studied it recently in detail, but I assume that information is still accurate. Does that help?

comment:13 Changed 2 months ago by Peter Suter

Also t:ticket:5670 and t:ticket:9148 have related discussions.

comment:14 Changed 2 months ago by Ryan J Ollos

Yeah, looks like some options to consider.

Another question: Is there a recommended way to require a permission, such as ACCTMGR_USER_ADMIN, for a subscriber? Seems like we need to pass req.authname to the description method.

Last edited 2 months ago by Ryan J Ollos (previous) (diff)

comment:15 in reply to:  14 Changed 2 months ago by Ryan J Ollos

Replying to Ryan J Ollos:

Another question: Is there a recommended way to require a permission, such as ACCTMGR_USER_ADMIN, for a subscriber? Seems like we need to pass req.authname to the description method.

Ah, I see that this is also addressed in trac:#5670.

comment:16 Changed 2 months ago by Ryan J Ollos

In 17492:

TracAccountManager 0.5.1dev: Adapt to Trac 1.2 notification system

Refs #13312, #13124.

comment:17 Changed 2 months ago by Ryan J Ollos

In 17495:

TracAccountManager 0.6dev: Bump trunk to version 0.6

The trunk only supports Trac >= 1.2 since r17492.

Refs #13312, #13124.

comment:18 Changed 2 months ago by Ryan J Ollos

Resolution: fixed
Status: acceptedclosed

This should be fixed if using Trac 1.2 or later. See #13124 for more details.

comment:19 Changed 2 months ago by Ryan J Ollos

In 17506:

TracAccountManager 0.6dev: Refactor r17492

Refs #13312, #13124.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.