Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Administrative user removal triggers account activity email #9983

Closed
2 tasks done
MrGeneration opened this issue Sep 19, 2023 · 3 comments · Fixed by #9986
Closed
2 tasks done

Administrative user removal triggers account activity email #9983

MrGeneration opened this issue Sep 19, 2023 · 3 comments · Fixed by #9986
Assignees
@nijel
Labels
enhancement Adding or requesting a new feature.
Milestone
5.1

Comments

@MrGeneration
Copy link
Contributor

Describe the issue

When removing a user from Weblate, especially e.g. due to a no longer existing email address, Weblate triggers an account activity email towards the deleted user informing the user about private data being removed.

This has two issues:

  • The user (is removed by an administrator) is removed for a good reason, e.g. non existend email addresses. This causes additional email bounces
  • The user agent and IP address of the administrator are leaked in that email

I already tried

  • I've read and searched the documentation.
  • I've searched for similar issues in this repository.

Steps to reproduce the behavior

As admin

  1. Go to admin interface
  2. Go to Users tab
  3. search the user in question by email address (or username)
  4. click on the user in question
  5. on the lower end of the mask then click "Delete" and confirm the deletion by another "delete"

--> This fires the activity information.

Expected behavior

If an administrator removes an account, the account in question does not receive a further email. If that's not an option, the admin should have the control to disable the email notification during the deletion process.

Under no circumstances the IP address of the admin is being leaked.

Screenshots

image

Exception traceback

none

How do you run Weblate?

Docker container

Weblate versions

  • Weblate: 5.0.2
  • Django: 4.2.5
  • siphashc: 2.1
  • translate-toolkit: 3.10.1
  • lxml: 4.9.3
  • Pillow: 10.0.0
  • nh3: 0.2.14
  • python-dateutil: 2.8.2
  • social-auth-core: 4.4.2
  • social-auth-app-django: 5.3.0
  • django-crispy-forms: 2.0
  • oauthlib: 3.2.2
  • django-compressor: 4.4
  • djangorestframework: 3.14.0
  • django-filter: 23.2
  • django-appconf: 1.0.5
  • user-agents: 2.2.0
  • filelock: 3.12.4
  • rapidfuzz: 3.3.0
  • openpyxl: 3.1.2
  • celery: 5.3.4
  • django-celery-beat: 2.5.0
  • kombu: 5.3.2
  • translation-finder: 2.15
  • weblate-language-data: 2023.5
  • html2text: 2020.1.16
  • pycairo: 1.24.0
  • PyGObject: 3.46.0
  • diff-match-patch: 20230430
  • requests: 2.31.0
  • django-redis: 5.3.0
  • hiredis: 2.2.3
  • sentry-sdk: 1.31.0
  • Cython: 3.0.2
  • misaka: 2.1.1
  • GitPython: 3.1.36
  • borgbackup: 1.2.6
  • pyparsing: 3.1.1
  • ahocorasick_rs: 0.17.1
  • python-redis-lock: 4.0.0
  • charset-normalizer: 3.2.0
  • Python: 3.11.5
  • Git: 2.30.2
  • psycopg2: 2.9.7
  • phply: 1.2.6
  • ruamel.yaml: 0.17.32
  • tesserocr: 2.6.1
  • boto3: 1.28.48
  • zeep: 4.2.1
  • aeidon: 1.12
  • iniparse: 0.5
  • mysqlclient: 2.2.0
  • Mercurial: 6.5.2
  • git-svn: 2.30.2
  • git-review: 2.3.1
  • PostgreSQL server: 15.4
  • Database backends: django.db.backends.postgresql
  • Cache backends: default:RedisCache, avatar:FileBasedCache
  • Email setup: django.core.mail.backends.smtp.EmailBackend: mx2.zammad.com
  • OS encoding: filesystem=utf-8, default=utf-8
  • Celery: redis://cache:6379/1, redis://cache:6379/1, regular
  • Platform: Linux 5.10.0-23-amd64 (x86_64)

Weblate deploy checks

System check identified no issues (2 silenced).

(Silenced is: weblate.I021)

Additional context

A side note regarding that mail:
It tells the user to open a bug report on the weblate repo, if the change was not intended by the user.
This is a little bit irritating - shouldn't the user contact the instance administrator in case of issues instead of creating issues on the vendors tracker that might not be able to help (because it might not be Weblate SaaS).
nijel added a commit to nijel/weblate that referenced this issue Sep 19, 2023
@nijel
contact: clarify contact form disclaimer
8cd6af3 
- remove it from the activity mail footer, it can be confusing (see
  WeblateOrg#9983)
- include message about support for other instances on Hosted Weblate
  only
@nijel nijel mentioned this issue Sep 19, 2023
Merged
5 tasks
@nijel nijel self-assigned this Sep 19, 2023
@nijel nijel added this to the 5.1 milestone Sep 19, 2023
@nijel nijel added the enhancement Adding or requesting a new feature. label Sep 19, 2023
nijel added a commit to nijel/weblate that referenced this issue Sep 19, 2023
@nijel
auditlog: skip notification for admin triggered account removal
9a54380 
This leaks admin IP address to the user.

Fixes WeblateOrg#9983
@nijel nijel mentioned this issue Sep 19, 2023
Merged
5 tasks
@nijel
Copy link
Member

nijel commented Sep 19, 2023

This is a little bit irritating - shouldn't the user contact the instance administrator in case of issues instead of creating issues on the vendors tracker that might not be able to help (because it might not be Weblate SaaS).

It is indeed confusing. But in the past we had problems that people used this form to report other bugs. #9985 should make it more clear.

@MrGeneration
Copy link
Contributor Author

It is indeed confusing. But in the past we had problems that people used this form to report other bugs. #9985 should make it more clear.

Yes that's a good approach and hopefully helps end users to find their right path.
Thanks!

nijel added a commit that referenced this issue Sep 19, 2023
@nijel
auditlog: skip notification for admin triggered account removal
190df6e 
This leaks admin IP address to the user.

Fixes #9983
@github-actions
Copy link

Thank you for your report; the issue you have reported has just been fixed.

  • In case you see a problem with the fix, please comment on this issue.
  • In case you see a similar problem, please open a separate issue.
  • If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.

nijel added a commit that referenced this issue Sep 20, 2023
@nijel @orangesunny
contact: clarify contact form disclaimer (#9985)
1295abe 
* contact: clarify contact form disclaimer

- remove it from the activity mail footer, it can be confusing (see
  #9983)
- include message about support for other instances on Hosted Weblate
  only

* rephrasing

* info simplification

---------

Co-authored-by: Benjamin Alan Jamie <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nijel nijel

Labels
enhancement Adding or requesting a new feature.
Projects
None yet
Milestone
5.1
Development

Successfully merging a pull request may close this issue.

auditlog: skip notification for admin triggered account removal nijel/weblate
2 participants
@nijel @MrGeneration