From 9a54380ada9b9f9406fd0dcb742391fcc9c56566 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 19 Sep 2023 13:41:44 +0200 Subject: [PATCH] auditlog: skip notification for admin triggered account removal This leaks admin IP address to the user. Fixes #9983 --- weblate/accounts/models.py | 1 + weblate/accounts/utils.py | 4 ++-- weblate/accounts/views.py | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/weblate/accounts/models.py b/weblate/accounts/models.py index 5a03f2c3783e..06fe08e4a110 100644 --- a/weblate/accounts/models.py +++ b/weblate/accounts/models.py @@ -323,6 +323,7 @@ def should_notify(self): and self.user.is_active and self.user.email and self.activity in NOTIFY_ACTIVITY + and not self.params.get("skip_notify") ) def check_rate_limit(self, request): diff --git a/weblate/accounts/utils.py b/weblate/accounts/utils.py index e6d6bc36ab87..2b8f66957b4b 100644 --- a/weblate/accounts/utils.py +++ b/weblate/accounts/utils.py @@ -15,13 +15,13 @@ from weblate.trans.signals import user_pre_delete -def remove_user(user, request): +def remove_user(user, request, **params): """Remove user account.""" # Send signal (to commit any pending changes) user_pre_delete.send(instance=user, sender=user.__class__) # Store activity log and notify - AuditLog.objects.create(user, request, "removed") + AuditLog.objects.create(user, request, "removed", **params) # Remove any email validation codes invalidate_reset_codes(user) diff --git a/weblate/accounts/views.py b/weblate/accounts/views.py index 98372af18131..42f3f05abcec 100644 --- a/weblate/accounts/views.py +++ b/weblate/accounts/views.py @@ -578,7 +578,7 @@ def post(self, request, **kwargs): user.groups.remove(form.cleaned_data["remove_group"]) return HttpResponseRedirect(self.get_success_url() + "#groups") if "remove_user" in request.POST: - remove_user(user, request) + remove_user(user, request, skip_notify=True) return HttpResponseRedirect(self.get_success_url() + "#groups") return super().post(request, **kwargs)