When Password change is triggered by API "UsersManager.updateUser" Method (confirm PW = ADMIN PW) no "password changed" E-Mail should be sent.
Reason: We for our case got Matomo integrated into our SAAS CMS with automatic PW changes over the API. Since 3.9.1 thousands of our Customers getting double Mails ... one from our CMS and one from Matomo - resulting in countless Support Calls / Mails.
Related to: https://github.com/matomo-org/matomo/pull/14240 (Do not send password changed email for automated use cases)
Makes sense 👍
Could be maybe an API parameter optionally that allows to send email but maybe not needed.
Actually, best would be to add an API parameter for whether to send an email or not and our UI that issues the API would force sending the email.
Makes sense, but this also raises the new issue that this kind of circumvents the original purpose (or at least one of them) of the feature (detect when an attacker tries to change your password).
If someone can simply change the password without sending the E-Mail then the E-Mail doesn't really carry that much information anymore.
Of course one could make this parameter only available to admin users but still then admin accounts wouldn't really be protected.
Honestly I am not sure how other websites/webapps are implementing this.
I think it's fine to have the option to disable it through the API. Alternatively we could add a new config setting but this is hard for users that can't change the config option (eg on cloud). @mattab any thoughts?