Email notification for demoted/removed user #3264

brainwane · 2018-03-15T03:58:28Z

Followup to #1000: we should email the user (and possibly all the other owners/maintainers of a project as well) when they were an owner/maintainer of a project but have just been demoted or removed from the project.

if a user is removed from a [maintainer or owner] role, then that user should also be emailed (e.g., to prevent an attacker who has compromised one owner, from silently removing other owners of a package, prior to uploading a new malicious package, thereby circumventing #997).

-- @edmorley

- Send email to the user whose role has been changed/removed. - Send email to other owners of the project. - The person who made the change will not receive the email. Closes pypi#3264

- Send email to the user whose role has been changed/removed. - Send email to other owners of the project. - The person who made the change will not receive the email. Closes pypi#3264 Make linters happy Improve the tests and coverage Update email text. Notify all owners for any role changes. Update email subjects. Update tests. Since we're always sending email to all owners now when role changed, email recipients shouldn't ever be empty. The order matters? Reordering list ordering issue Minor changes Resolved a lint issue

- Send email to the user whose role has been changed/removed. - Send email to other owners of the project. - The person who made the change will not receive the email. Closes pypi#3264 Make linters happy Improve the tests and coverage Update email text. Notify all owners for any role changes. Update email subjects. Update tests. Since we're always sending email to all owners now when role changed, email recipients shouldn't ever be empty. The order matters? Reordering list ordering issue Minor changes Resolved a lint issue Resolved code reviews Used {%- -%} to strip additional new lines

- Send email to the user whose role has been changed/removed. - Send email to other owners of the project. - The person who made the change will not receive the email. Closes pypi#3264 Make linters happy Improve the tests and coverage Update email text. Notify all owners for any role changes. Update email subjects. Update tests. Since we're always sending email to all owners now when role changed, email recipients shouldn't ever be empty. The order matters? Reordering list ordering issue Minor changes Resolved a lint issue Resolved code reviews Used {%- -%} to strip additional new lines Resolved lint issue

brainwane · 2019-05-16T18:23:03Z

To do this the right way, we should wait till we have #5863 implemented, so we can draw on the event logging and use it to trigger this notification.

rascalking · 2020-05-08T00:51:56Z

I finally got the code in #3853 rebased on master, and am looking at driving the notifications from the event logging. I don't see any triggers or signal plumbing in #6339. When you say the event logging should trigger the notification, are you talking about calling these notifications directly from Project.record_event and User.record_event? Or are you looking for us to use the db signals to watch for UserEvent objects being created?

brainwane · 2020-05-08T01:34:59Z

I defer to @di and @ewdurbin and @yeraydiazdiaz on this.

brainwane · 2020-06-25T05:15:37Z

@di do you have some feedback on @rascalking's question?

di · 2020-06-25T06:00:34Z

I think either could work. I think it would be probably more straightforward to just do this in *.record_event, and probably more thorough to hook into ProjectEvent/UserEvent object creation.

I think what would be even more powerful is if every Event was published to our task queue, and for every individual type of event, there was a way to resolve asynchronous actions that should happen as a result of that event, like sending an email. That's a bit more than what we're asking for here right now though.

di · 2020-07-15T17:12:50Z

@rascalking Any updates here? Are you still working on this?

rascalking · 2020-07-31T23:55:13Z

Sorry, I don't think I'm going to be able to finish this.

brainwane · 2020-08-18T20:40:03Z

Thank you, @patelneel55!

brainwane added help needed We'd love volunteers to advise on or help fix/implement this. feature request labels Mar 15, 2018

brainwane added this to the 6. Post Legacy Shutdown milestone Mar 15, 2018

Mariatta mentioned this issue Mar 18, 2018

Email notification when user's role is changed/removed. #3306

Closed

waseem18 mentioned this issue Apr 29, 2018

Email notification when user's role is changed/removed. #3853

Closed

brainwane added the blocked Issues we can't or shouldn't get to yet label May 16, 2019

brainwane removed the blocked Issues we can't or shouldn't get to yet label Aug 15, 2019

patelneel55 mentioned this issue Jul 27, 2020

Email notification when a role is changed/removed #8328

Merged

di closed this as completed in #8328 Aug 4, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Email notification for demoted/removed user #3264

Email notification for demoted/removed user #3264

brainwane commented Mar 15, 2018

brainwane commented May 16, 2019

rascalking commented May 8, 2020

brainwane commented May 8, 2020

brainwane commented Jun 25, 2020

di commented Jun 25, 2020

di commented Jul 15, 2020

rascalking commented Jul 31, 2020

brainwane commented Aug 18, 2020

Email notification for demoted/removed user #3264

Email notification for demoted/removed user #3264

Comments

brainwane commented Mar 15, 2018

brainwane commented May 16, 2019

rascalking commented May 8, 2020

brainwane commented May 8, 2020

brainwane commented Jun 25, 2020

di commented Jun 25, 2020

di commented Jul 15, 2020

rascalking commented Jul 31, 2020

brainwane commented Aug 18, 2020