#13312 closed defect (fixed)
Password reset and e-mail verification mails are sent out to smtp_public_cc addresses on Trac 1.2
| Reported by: | Frau Boonekamp | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | highest | Component: | AccountManagerPlugin |
| Severity: | blocker | Keywords: | |
| Cc: | Thomas Moschny, Peter Suter | Trac Release: |
Description (last modified by )
We have found that AccountManager emails have been sent to our public mailing list, once we upgraded to Trac 1.2.2.
See this password email and this user verification mail.
The issue seems to be that the new notification system no longer uses the get_smtp_address method, so the override will no longer work.
For now we have disabled sending emails to the public cc mailing list.
Attachments (0)
Change History (19)
comment:1 Changed 7 years ago by
| Description: | modified (diff) |
|---|
comment:2 Changed 7 years ago by
comment:3 Changed 7 years ago by
| Status: | new → accepted |
|---|
comment:4 follow-up: 5 Changed 7 years ago by
[account-manager] account_changes_notify_addresses = authentication_url = db_htdigest_realm = temp force_passwd_change = disabled hash_method = HtDigestHashMethod htdigest_file = /srv/trac/XXX/auth/trac.htdig htdigest_realm = haiku notify_actions = password_store = HtDigestStore persistent_sessions = enabled refresh_passwd = disabled register_check = BasicCheck,EmailCheck,RegExpCheck,UsernamePermCheck,RegistrationFilterAdapter user_lock_max_time = 86400 verify_email = enabled [notification] smtp_public_cc = XXX@freelists.org maxheaderlen = 78 mime_encoding = qp smtp_enabled = enabled smtp_from = trac@XXX.org smtp_from_author = enabled smtp_replyto = noreply@XXX.org smtp_server = localhost use_public_cc = disabled
comment:5 Changed 7 years ago by
Would it be an option to rewrite the configuration temporarily while sending, like is done with the use_public_cc configuration setting?
comment:6 Changed 7 years ago by
We need to add support for the new notification system in Trac: #13124. I hope to address that in the coming weeks.
comment:8 Changed 7 years ago by
| Cc: | Thomas Moschny added |
|---|
Also seeing this with 1.2.2 and notification.smtp_always_cc set.
comment:11 Changed 5 years ago by
| Cc: | Peter Suter added |
|---|
@psuter: I hope you don't mind that I CC you for advice. I'm working on a patch for #13124 that uses the new notification system. I recall some discussion previously about the implementation of smtp_always_cc and smtp_always_bcc implemented in AlwaysEmailSubscriber.
Is there a good way to avoid that subscriber for a realm such as 'account'?
comment:12 Changed 5 years ago by
No worries. :) Yes, I vaguely remember previous discussion about this. I found #13074. I have not studied it recently in detail, but I assume that information is still accurate. Does that help?
comment:14 follow-up: 15 Changed 5 years ago by
Yeah, looks like some options to consider.
Another question: Is there a recommended way to require a permission, such as ACCTMGR_USER_ADMIN, for a subscriber? Seems like we need to pass req.authname to the description method.
comment:15 Changed 5 years ago by
Replying to Ryan J Ollos:
Another question: Is there a recommended way to require a permission, such as
ACCTMGR_USER_ADMIN, for a subscriber? Seems like we need to passreq.authnameto thedescriptionmethod.
Ah, I see that this is also addressed in trac:#5670.
comment:18 Changed 5 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
This should be fixed if using Trac 1.2 or later. See #13124 for more details.
See also #13074. Please share your
[notification]and[account-manager]sections, with sensitive information obfuscated.