Merge branch 'security-email-change-notification' into 'master'

[master] Resolve: "Provide email notification when a user changes their email address" See merge request gitlab/gitlabhq!2587
2018-11-28 22:54:52 +00:00 · 2018-11-28 22:54:52 +00:00 · 31f9223aa6
commit 31f9223aa6
parent 82cd250b69 dd88eb0c5c
5 changed files with 32 additions and 0 deletions
--- a/app/views/devise/mailer/email_changed.html.haml
+++ b/app/views/devise/mailer/email_changed.html.haml
@ -0,0 +1,12 @@
+= email_default_heading("Hello, #{@resource.name}!")
+
+- if @resource.try(:unconfirmed_email?)
+  %p
+    We're contacting you to notify you that your email is being changed to #{@resource.reload.unconfirmed_email}.
+- else
+  %p
+    We're contacting you to notify you that your email has been changed to #{@resource.email}.
+
+%p
+  If you did not initiate this change, please contact your administrator
+  immediately.
--- a/app/views/devise/mailer/email_changed.text.erb
+++ b/app/views/devise/mailer/email_changed.text.erb
@ -0,0 +1,10 @@
+Hello, <%= @resource.name %>!
+
+<% if @resource.try(:unconfirmed_email?) %>
+We're contacting you to notify you that your email is being changed to <%= @resource.reload.unconfirmed_email %>.
+<% else %>
+We're contacting you to notify you that your email has been changed to <%= @resource.email %>.
+<% end %>
+
+If you did not initiate this change, please contact your administrator
+immediately.
--- a/changelogs/unreleased/security-email-change-notification.yml
+++ b/changelogs/unreleased/security-email-change-notification.yml
@ -0,0 +1,5 @@
+---
+title: Provide email notification when a user changes their email address
+merge_request:
+author:
+type: security
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -103,6 +103,9 @@ Devise.setup do |config|
  # Send a notification email when the user's password is changed
  config.send_password_change_notification = true

+  # Send a notification email when the user's email is changed
+  config.send_email_changed_notification = true
+
  # ==> Configuration for :validatable
  # Range for password length. Default is 6..128.
  config.password_length = 8..128
--- a/doc/workflow/notifications.md
+++ b/doc/workflow/notifications.md
@ -64,6 +64,8 @@ Below is the table of events users can be notified of:
 |------------------------------|-------------------------------------------------------------------|------------------------------|
 | New SSH key added            | User                                                              | Security email, always sent. |
 | New email added              | User                                                              | Security email, always sent. |
+| Email changed                | User                                                              | Security email, always sent. |
+| Password changed             | User                                                              | Security email, always sent. |
 | New user created             | User                                                              | Sent on user creation, except for omniauth (LDAP)|
 | User added to project        | User                                                              | Sent when user is added to project |
 | Project access level changed | User                                                              | Sent when user project access level is changed |