@futureweb opened this Issue on March 25th 2019 Contributor

When Password change is triggered by API "UsersManager.updateUser" Method (confirm PW = ADMIN PW) no "password changed" E-Mail should be sent.

Reason: We for our case got Matomo integrated into our SAAS CMS with automatic PW changes over the API. Since 3.9.1 thousands of our Customers getting double Mails ... one from our CMS and one from Matomo - resulting in countless Support Calls / Mails.

Related to: https://github.com/matomo-org/matomo/pull/14240 (Do not send password changed email for automated use cases)

Forum Reference: https://forum.matomo.org/t/3-9-1-password-changed-e-mail-on-automated-password-changes-by-api/32262

Andreas Schnederle-Wagner

@tsteur commented on March 25th 2019 Member

Makes sense 👍

@tsteur commented on March 25th 2019 Member

Could be maybe an API parameter optionally that allows to send email but maybe not needed.

@tsteur commented on March 27th 2019 Member

Actually, best would be to add an API parameter for whether to send an email or not and our UI that issues the API would force sending the email.

@Findus23 commented on March 27th 2019 Member

Makes sense, but this also raises the new issue that this kind of circumvents the original purpose (or at least one of them) of the feature (detect when an attacker tries to change your password).

If someone can simply change the password without sending the E-Mail then the E-Mail doesn't really carry that much information anymore.

Of course one could make this parameter only available to admin users but still then admin accounts wouldn't really be protected.

Honestly I am not sure how other websites/webapps are implementing this.

@tsteur commented on March 27th 2019 Member

I think it's fine to have the option to disable it through the API. Alternatively we could add a new config setting but this is hard for users that can't change the config option (eg on cloud). @mattab any thoughts?

@mattab commented on March 27th 2019 Member
  • +1 for a new config file setting to disable the email notifications. (Config file settings can't be changed through the UI so an attacker couldn't disable it and it should keep the feature secure.)
  • we can document the setting in a new FAQ "How do I disable the email notifications when password is changed and email address is changed?"
This Issue was closed on April 11th 2019
Powered by GitHub Issue Mirror