Email notification when user's role is changed/removed. #3306
Conversation
- Send email to the user whose role has been changed/removed. - Send email to other owners of the project. - The person who made the change will not receive the email. Closes pypi#3264
|
@Mariatta You see the build failing, right? Thanks for the PR - please comment again when it's fixed up and passing tests. :) |
|
Thanks @brainwane. All checks passed now 🎉 ✅ |
| @@ -0,0 +1,6 @@ | |||
| Your role in the {{ project }} project has been removed by {{ submitter }}. | |||
|
|
|||
| You are no longer an {{ role }}. | |||
There was a problem hiding this comment.
I think we might need to reword this, because it could either be "a maintainer" or "an owner".
It would also be nice to add some kind of text explaining what the role is.
e.g.
"You are now a project owner. This means that you may add other collaborators, upload releases for the project, delete files and releases, or delete the entire project."
Or
"You are now a project maintainer. This means you may upload releases for the project. You cannot add collaborators, delete files, delete releases, or delete the project.
see #3157 for reference.
There was a problem hiding this comment.
Since this particular email is for when they are removed from the role, I will phrase it like "You are no longer a(n) owner/maintainer. You can no longer ...".
Does that sounds ok?
There was a problem hiding this comment.
Ah, so it is. Sorry, I misread :)
Maybe "you are no longer a project owner/maintainer" to avoid the "a(n)" issue? wdyt?
| @@ -0,0 +1,6 @@ | |||
| Your role in the {{ project }} project has been changed by {{ submitter }}. | |||
|
|
|||
| You are now a {{ role }}. | |||
|
@nlhkabu I've updated the email text. Let me know what you think. Thanks. |
warehouse/manage/views.py
Outdated
| owner_emails = [owner.user.email for owner in owners | ||
| if owner.user.email] | ||
| if request.user.email in owner_emails: | ||
| owner_emails.remove(request.user.email) |
There was a problem hiding this comment.
We should probably still email the user making the change. This is a relatively major "operation" and if someone has intercepted a password and starts making changes as a user, we'd want them to notify.
Though I it's possible for an attacker to simply remove or replace all active email addresses before making these changes, the primary email address changing would initiate a notification.
warehouse/manage/views.py
Outdated
| owner_emails = [owner.user.email for owner in owners | ||
| if owner.user.email] | ||
| if request.user.email in owner_emails: | ||
| owner_emails.remove(request.user.email) |
There was a problem hiding this comment.
Notify the user making this change as well.
warehouse/manage/views.py
Outdated
| owner_emails = [owner.user.email for owner in owners | ||
| if owner.user.email] | ||
| if request.user.email in owner_emails: | ||
| owner_emails.remove(request.user.email) |
There was a problem hiding this comment.
Notify the user making this change as well.
|
Thanks @Mariatta! I see that the logic for removing the submitting user from notifications was carried over from existing code, but I think this is a good opportunity to bump the visibility of these kinds of changes. |
|
No prob. Emails are now being sent to all owners. |
warehouse/manage/views.py
Outdated
| ) | ||
|
|
||
| owner_emails = [owner.user.email for owner in owners | ||
| if owner.user.email] |
There was a problem hiding this comment.
I think all Users should have an email? So if this is causing errors, an email address probably needs added to the fixture in the test where it breaks, rather than adding this filter here.
There was a problem hiding this comment.
Makes sense I've changed this.
warehouse/manage/views.py
Outdated
| ) | ||
| ) | ||
| owner_emails = [owner.user.email for owner in owners | ||
| if owner.user.email] |
There was a problem hiding this comment.
Same here as above w/ regards to the filter.
warehouse/manage/views.py
Outdated
| ) | ||
| ) | ||
| owner_emails = [owner.user.email for owner in owners | ||
| if owner.user.email] |
warehouse/manage/views.py
Outdated
| owner_emails = [owner.user.email for owner in owners | ||
| if owner.user.email] | ||
|
|
||
| if owner_emails: |
There was a problem hiding this comment.
Can we move this condition into the send_collaborator_added_email function instead?
There was a problem hiding this comment.
So since we'll always send the email to all owners anyway, and at any time there will always be one owner, I'm assuming that we'll always send the email. So I removed the condition. Is this ok?
warehouse/manage/views.py
Outdated
| role.role_name = form.role_name.data | ||
| send_user_role_changed_email(request, role) | ||
| if owner_emails: |
There was a problem hiding this comment.
Can we move this condition into the send_role_changed_for_user_email function instead?
| @@ -0,0 +1 @@ | |||
| Role removed from PyPI | |||
There was a problem hiding this comment.
Maybe Role removed on PyPI for project {{ project.name }}?
| @@ -0,0 +1 @@ | |||
| Role changed in PyPI | |||
There was a problem hiding this comment.
Maybe Role changed on PyPI for project {{ project.name }}?
| @@ -0,0 +1 @@ | |||
| Role removed from PyPI | |||
There was a problem hiding this comment.
Maybe Role removed on PyPI for project {{ project.name }}?
| A collaborator's role has been removed from a project you own on PyPI: | ||
|
|
||
| Username: {{ username }} | ||
| Role: {{ role }} |
tests/unit/manage/test_views.py
Outdated
| [] | ||
| ) | ||
| ] | ||
| assert send_collaborator_added_email.calls == [] |
There was a problem hiding this comment.
We probably still want this assertion to stay or a similar assertion to replace it.
|
@Mariatta hey there -- will you be revising this PR, maybe next week, per the reviews on it? Thanks! |
Update tests.
email recipients shouldn't ever be empty.
|
The test failed in 3.6.1, apparently because the order of the list items matters. I don't know how to properly test that... |
|
@waseem18 @yeraydiazdiaz do you have any thoughts on how to address the test issue? |
|
@brainwane I'll check now and will comment back. |
|
@Mariatta You can use In test cases you can change Example: |
|
Note that this PR conflicts with #3493 and whichever one lands second will have to be updated to handle the other. |
|
(Noting here that @Mariatta is on a break from FLOSS contribution right now but will still respond to revision requests on open PRs like this one.) |
|
Hey @Mariatta -- we'd like to move forward on this fix, so please let us know whether you'll be revising the PR (to use Wasim's advice to get the tests to pass) within the next few days. If not, I'll find someone else to work on fixing #3264, and if and when you have time to do some Warehouse work in the future, let us know and we'll help you get going. Thanks! |
|
Thanks for the ping @brainwane. I have some time later this evening (and this evening only) to look into this. My next availability will be at PyCon sprints. |
|
Sorry everyone, I didn't get around working on this last night. If this can't wait until PyCon US sprints, then perhaps it's best for someone else to continue working on this. I'll leave it to you all to close this PR. |
|
Hey @Mariatta, No worries! I'll add the test case changes today that would fix this PR. |
|
Quick update on this - I'm resolving merge conflicts now and as soon as I'm done with testing I'll push the code. Edit: I've added a new PR #3853 which fixes the conflicts of this PR. So this PR can be closed now. |
Closes #3264