Skip to content

Email all owners when a new owner/maintainer is added #1000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
edmorley opened this issue Mar 3, 2016 · 6 comments
Closed

Email all owners when a new owner/maintainer is added #1000

edmorley opened this issue Mar 3, 2016 · 6 comments
Labels
feature request
Milestone
Post Legacy Shutd...

Comments

@edmorley
Copy link

edmorley commented Mar 3, 2016

To make account compromise more obvious, it would be great if all owners of a package were emailed when a new owner or maintainer was added to a package.

In addition, if a user is removed from a role, then that user should also be emailed (eg to prevent an attacker who has compromised one owner, from silently removing other owners of a package, prior to uploading a new malicious package, thereby circumventing #997).
@brainwane brainwane added this to the 6. Post Legacy Shutdown milestone Feb 20, 2018
@brainwane
Copy link
Contributor

Thanks for the great suggestion, @edmorley, and sorry for the slow response!

This would be a useful security/audit feature, and in addition, we should also send an email notification to newly added collaborators. And now that we have better email management in Warehouse (just added in the past few weeks), it's far easier to add this feature.

Today in our development meeting we discussed where this should go on our development roadmap. The most urgent task is to improve Warehouse to the point where we can redirect pypi.python.org to pypi.org so the site is more sustainable and reliable. Since this feature isn't something that the legacy site has, I've moved it to a future milestone. But that doesn't have to stop a volunteer from working on it now; if someone wants to write up a pull request for it, go ahead!

Thanks and sorry again for the wait.

@brainwane brainwane modified the milestones: 6. Post Legacy Shutdown, 5: Shut Down Legacy PyPI Feb 20, 2018
@Mariatta
Copy link
Contributor

Mariatta commented Mar 6, 2018

I'd be interested to work on this.
I'm not familiar with the codebase yet. Quick look at https://github.com/pypa/warehouse/blob/master/warehouse/manage/views.py#L550, perhaps around there we can send the email to owners. Am I in the right track for this?
Thanks :)

@brainwane brainwane modified the milestones: 5: Shut Down Legacy PyPI, 6. Post Legacy Shutdown Mar 6, 2018
@brainwane
Copy link
Contributor

Thanks, @Mariatta! I'll defer to @di who implemented the email management.

@di
Copy link
Member

di commented Mar 6, 2018

@Mariatta Yep, that's the right spot!

I think we should break this up into two emails we send when a new collaborator is added:

  • Notification to existing owners that a new collaborator has been added (we probably don't need to send this to the current user).
  • Notification to the new collaborator that they have been added.

Mariatta added a commit to Mariatta/warehouse that referenced this issue Mar 7, 2018
@Mariatta
Send email when a new collaborator has been added to the project.
f5a3d16 
- send the email to the newly added collaborator
- send the email to other owners
- email not sent to the person who added the collaborator

Closes pypi#1000
@Mariatta Mariatta mentioned this issue Mar 7, 2018
Merged
@Mariatta
Copy link
Contributor

Mariatta commented Mar 7, 2018

Thanks! In #3155 I added the code to send email when a new collaborator has been added. Feel free to suggest different copy for the email.

I have not addressed the part about emailing when a user removed from the project, or when the role changed (from Owner-> Maintainer, or vice versa). I think that should be done in a separate PR.

Mariatta added a commit to Mariatta/warehouse that referenced this issue Mar 9, 2018
@Mariatta
Send email when a new collaborator has been added to the project.
d6d9e8d 
- send the email to the newly added collaborator
- send the email to other owners
- email not sent to the person who added the collaborator

Closes pypi#1000
Mariatta added a commit to Mariatta/warehouse that referenced this issue Mar 10, 2018
@Mariatta
Send email when a new collaborator has been added to the project.
4c3ba0a 
- send the email to the newly added collaborator
- send the email to other owners
- email not sent to the person who added the collaborator

Closes pypi#1000
@di di closed this as completed in #3155 Mar 14, 2018
di pushed a commit that referenced this issue Mar 14, 2018
@Mariatta @di
Send email when a new collaborator has been added to the project. (#3155
4f6d3c9 
)

* Send email when a new collaborator has been added to the project.

- send the email to the newly added collaborator
- send the email to other owners
- email not sent to the person who added the collaborator

Closes #1000

* Remove prints

* Make linter happy.

* Added functionality to send email whenever primary email is changed (#3158)

Addressed code reviews

* - Send a separate welcome email to the new collaborator
- Add owners emails in bcc field

* PEP 8

* Fix linters errors

* - Deindent
- Add footer to email

* Rebased with master

* Fix broken unit test.

* Fix linter error

* PEP 8

* Actually send the email to bcc recipients
@edmorley
Copy link
Author

Thank you for implementing this @Mariatta! :-)

@brainwane brainwane mentioned this issue Mar 15, 2018
Closed
@remram44 remram44 mentioned this issue May 4, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
Post Legacy Shutdown priorities
Development

No branches or pull requests
5 participants
@di @edmorley @brainwane @nlhkabu @Mariatta