New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not send password changed email when triggered by API #14267
Comments
Makes sense 👍 |
Could be maybe an API parameter optionally that allows to send email but maybe not needed. |
Actually, best would be to add an API parameter for whether to send an email or not and our UI that issues the API would force sending the email. |
Makes sense, but this also raises the new issue that this kind of circumvents the original purpose (or at least one of them) of the feature (detect when an attacker tries to change your password). If someone can simply change the password without sending the E-Mail then the E-Mail doesn't really carry that much information anymore. Of course one could make this parameter only available to admin users but still then admin accounts wouldn't really be protected. Honestly I am not sure how other websites/webapps are implementing this. |
I think it's fine to have the option to disable it through the API. Alternatively we could add a new config setting but this is hard for users that can't change the config option (eg on cloud). @mattab any thoughts? |
|
When Password change is triggered by API "UsersManager.updateUser" Method (confirm PW = ADMIN PW) no "password changed" E-Mail should be sent.
Reason: We for our case got Matomo integrated into our SAAS CMS with automatic PW changes over the API. Since 3.9.1 thousands of our Customers getting double Mails ... one from our CMS and one from Matomo - resulting in countless Support Calls / Mails.
Related to: #14240 (Do not send password changed email for automated use cases)
Forum Reference: https://forum.matomo.org/t/3-9-1-password-changed-e-mail-on-automated-password-changes-by-api/32262
thx
Andreas Schnederle-Wagner
The text was updated successfully, but these errors were encountered: